<pre style='margin:0'>
Frank Schima (mf2k) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/543d0919e1b8bb23dd001b1096cde06a60f07367">https://github.com/macports/macports-ports/commit/543d0919e1b8bb23dd001b1096cde06a60f07367</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new 543d091 macos-fortress: Update configuration files and launchd bugfix
</span>543d091 is described below
<span style='display:block; white-space:pre;color:#808000;'>commit 543d0919e1b8bb23dd001b1096cde06a60f07367
</span>Author: Steven Thomas Smith <s.t.smith@ieee.org>
AuthorDate: Fri Apr 3 13:54:03 2020 -0400
<span style='display:block; white-space:pre;color:#404040;'> macos-fortress: Update configuration files and launchd bugfix
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> * squid.conf: Bypass `privoxy` for TLS connections
</span><span style='display:block; white-space:pre;color:#404040;'> * privoxy config: Latest User Agent
</span><span style='display:block; white-space:pre;color:#404040;'> * macos-fortress-proxy.squid-rotate: Fix Portfile launch daemon issue
</span><span style='display:block; white-space:pre;color:#404040;'> * zoom.us TLS traffic proxy bypass rules
</span>---
net/macos-fortress/Portfile | 37 +-
net/macos-fortress/files/privoxy-config.macports | 2282 +++++
net/macos-fortress/files/privoxy-config.patch | 4 +-
.../files/privoxy-match-all.action.macports | 39 +
.../files/privoxy-match-all.action.patch | 6 +-
net/macos-fortress/files/squid-squid.conf.patch | 126 +-
net/macos-fortress/files/squid.conf.macports | 8835 ++++++++++++++++++++
7 files changed, 11278 insertions(+), 51 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/macos-fortress/Portfile b/net/macos-fortress/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index b2720eb..3e01e06 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/macos-fortress/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/macos-fortress/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3,7 +3,7 @@
</span> PortSystem 1.0
name macos-fortress
<span style='display:block; white-space:pre;background:#ffe0e0;'>-version 2020.01.31
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+version 2020.04.03
</span> revision 0
categories net security
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -514,13 +514,24 @@ subport ${name}-proxy {
</span> port:squid4
# squid patch file creation
<span style='display:block; white-space:pre;background:#ffe0e0;'>- # mkdir squid-orig squid-new
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # cp ${prefix}/etc/squid.conf.documented squid-orig/squid.conf
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # cp squid.conf.new squid-new/squid.conf
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # sed -E -i -e 's|/opt/local|@PREFIX@|g' squid-orig/squid.conf
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # diff -NaurdwB -I '^ *#.*' ./squid-orig/squid.conf ./squid-new/squid.conf | sed -E -e 's/\.\/squid-(orig|new)\/(squid.conf)(\.[[:alnum:]]+)*/\.\/squid.conf/' | sed -E -e 's|/opt/local|@PREFIX@|g' > ~/Downloads/squid-squid.conf.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## export prefix=${prefix}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## mkdir squid-orig squid-new
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## cp ${prefix}/etc/squid/squid.conf.documented squid-orig/squid.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## cp ${prefix}/etc/squid/squid.conf.documented squid-new/squid.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## patch -p0 -f -l -N squid-new/squid.conf < ${prefix}/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/macos-fortress/files/squid-squid.conf.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## sed -E -i -e 's|/opt/local|@PREFIX@|g' squid-orig/squid.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## diff -NaurdwB -I '^ *#' ./squid-orig/squid.conf ./squid-new/squid.conf | sed -E -e 's/\.\/squid-(orig|new)\/(squid.conf)(\.[[:alnum:]]+)*/\.\/squid.conf/' | sed -E -e 's|/opt/local|@PREFIX@|g' > ~/Downloads/squid-squid.conf.patch
</span> # privoxy patch file creation
<span style='display:block; white-space:pre;background:#ffe0e0;'>- # diff -NaurdwB -I '^ *#.*' ./privoxy-orig/config ./privoxy-new/config | sed -E -e 's/\.\/privoxy-(orig|new)\/(config)(\.[[:alnum:]]+)*/\.\/config/' | sed -E -e 's|/opt/local|@PREFIX@|g' > ~/Downloads/privoxy-config.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## mkdir privoxy-orig privoxy-new
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## sudo cp ${prefix}/etc/privoxy/config.new privoxy-orig/config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## sudo cp ${prefix}/etc/privoxy/match-all.action.new privoxy-orig/match-all.action
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## sudo cp ${prefix}/etc/privoxy/config.new privoxy-new/config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## sudo cp ${prefix}/etc/privoxy/match-all.action.new privoxy-new/match-all.action
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## sudo chown `whoami` privoxy-orig/config privoxy-new/config privoxy-orig/match-all.action privoxy-new/match-all.action
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## patch -p0 -f -l -N privoxy-new/config < ${prefix}/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/macos-fortress/files/privoxy-config.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## patch -p0 -f -l -N privoxy-new/match-all.action < ${prefix}/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/net/macos-fortress/files/privoxy-match-all.action.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## diff -NaurdwB -I '^ *#' ./privoxy-orig/config ./privoxy-new/config | sed -E -e 's/\.\/privoxy-(orig|new)\/(config)(\.[[:alnum:]]+)*/\.\/config/' | sed -E -e 's|/opt/local|@PREFIX@|g' > ~/Downloads/privoxy-config.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ## diff -NaurdwB -I '^ *#' ./privoxy-orig/match-all.action ./privoxy-new/match-all.action | sed -E -e 's/\.\/privoxy-(orig|new)\/(config)(\.[[:alnum:]]+)*/\.\/config/' | sed -E -e 's|/opt/local|@PREFIX@|g' > ~/Downloads/privoxy-match-all.action.patch
</span> destroot {
xinstall -m 0644 \
${filespath}/squid-squid.conf.patch \
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -584,7 +595,7 @@ subport ${name}-proxy {
</span> "-insert StandardErrorPath -string ${prefix}/var/log/${name}.log" \
"-insert StandardOutPath -string ${prefix}/var/log/${name}.log" \
] \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- org.macports.${startupitem.name}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ org.macports.${subport}
</span> # bruteforce expiration launchd daemon
plutil_startup [list \
"-insert Program -string ${prefix}/sbin/squid" \
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -610,8 +621,8 @@ subport ${name}-proxy {
</span> subport ${name}-easylistpac {
PortGroup github 1.0
<span style='display:block; white-space:pre;background:#ffe0e0;'>- github.setup essandess easylist-pac-privoxy 67d66d5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- version 2019.12.15
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ github.setup essandess easylist-pac-privoxy 3a2651f
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ version 2020.04.03
</span> revision 0
description EasyList Tracker and Adblocks to Proxy Auto Configuration (PAC) File
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -627,9 +638,9 @@ subport ${name}-easylistpac {
</span>
homepage https://github.com/essandess/easylist-pac-privoxy
<span style='display:block; white-space:pre;background:#ffe0e0;'>- checksums rmd160 79d6f230c561fb492b957a75de79bd1cdf01b79c \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sha256 da5f6a8717519d40d17360da6c746d56e4ee43d8afe5f10846dedc30501a615f \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- size 81748
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ checksums rmd160 e5420fd181bd33a82ee8ecf5e8bae679c82b2ffe \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sha256 f953009707fcc83d77a1b1bfa2d2c9d080fbe2305aa2cd37fbf23b3c5a403ad1 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size 81942
</span>
depends_lib-append \
port:adblock2privoxy \
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/macos-fortress/files/privoxy-config.macports b/net/macos-fortress/files/privoxy-config.macports
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..5e30e6a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/macos-fortress/files/privoxy-config.macports
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,2282 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sample Configuration File for Privoxy 3.0.26
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $Id: config,v 1.112 2016/08/26 13:14:18 fabiankeil Exp $
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Copyright (C) 2001-2016 Privoxy Developers https://www.privoxy.org/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#####################################################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Table of Contents #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# I. INTRODUCTION #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# II. FORMAT OF THE CONFIGURATION FILE #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1. LOCAL SET-UP DOCUMENTATION #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2. CONFIGURATION AND LOG FILE LOCATIONS #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3. DEBUGGING #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4. ACCESS CONTROL AND SECURITY #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 5. FORWARDING #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6. MISCELLANEOUS #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 7. WINDOWS GUI OPTIONS #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#####################################################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# I. INTRODUCTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ===============
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file holds Privoxy's main configuration. Privoxy detects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration changes automatically, so you don't have to restart
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it unless you want to load a different configuration file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The configuration will be reloaded with the first request after
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the change was done, this request itself will still use the old
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration, though. In other words: it takes two requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# before you see the result of your changes. Requests that are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dropped due to ACL don't trigger reloads.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When starting Privoxy on Unix systems, give the location of this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# file as last argument. On Windows systems, Privoxy will look for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this file with the name 'config.txt' in the current working
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directory of the Privoxy process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# II. FORMAT OF THE CONFIGURATION FILE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Configuration lines consist of an initial keyword followed by a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# list of values, all separated by whitespace (any number of spaces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or tabs). For example,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# actionsfile default.action
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Indicates that the actionsfile is named 'default.action'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The '#' indicates a comment. Any part of a line following a '#' is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignored, except if the '#' is preceded by a '\'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Thus, by placing a # at the start of an existing configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# line, you can make it a comment and it will be treated as if it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# weren't there. This is called "commenting out" an option and can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be useful. Removing the # again is called "uncommenting".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that commenting out an option and leaving it at its default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are two completely different things! Most options behave very
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# differently when unset. See the "Effect if unset" explanation in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# each option's description for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Long lines can be continued on the next line by using a `\' as the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# last character.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1. LOCAL SET-UP DOCUMENTATION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==============================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you intend to operate Privoxy for more users than just
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# yourself, it might be a good idea to let them know how to reach
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you, what you block and why you do that, your policies, etc.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1.1. user-manual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Location of the Privoxy User Manual.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A fully qualified URI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unset
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://www.privoxy.org/version/user-manual/ will be used,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# where version is the Privoxy version.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The User Manual URI is the single best source of information
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on Privoxy, and is used for help links from some of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# internal CGI pages. The manual itself is normally packaged
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with the binary distributions, so you probably want to set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this to a locally installed copy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The best all purpose solution is simply to put the full local
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PATH to where the User Manual is located:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user-manual /usr/share/doc/privoxy/user-manual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The User Manual is then available to anyone with access to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy, by following the built-in URL: http://
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# config.privoxy.org/user-manual/ (or the shortcut: http://p.p/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user-manual/).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the documentation is not on the local system, it can be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accessed from a remote server, as:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user-manual http://example.com/privoxy/user-manual/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING!!!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set, this option should be the first option in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# config file, because it is used while the config file is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# being read.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#user-manual https://www.privoxy.org/user-manual/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1.2. trust-info-url
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A URL to be displayed in the error page that users will see if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access to an untrusted page is denied.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# URL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unset
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No links are displayed on the "untrusted" error page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The value of this option only matters if the experimental
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# trust mechanism has been activated. (See trustfile below.)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you use the trust mechanism, it is a good idea to write up
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# some on-line documentation about your trust policy and to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specify the URL(s) here. Use multiple times for multiple URLs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The URL(s) should be added to the trustfile as well, so users
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# don't end up locked out from the information on why they were
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# locked out in the first place!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#trust-info-url http://www.example.com/why_we_block.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#trust-info-url http://www.example.com/what_we_allow.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1.3. admin-address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ===================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An email address to reach the Privoxy administrator.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Email address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unset
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No email address is displayed on error pages and the CGI user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# interface.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If both admin-address and proxy-info-url are unset, the whole
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "Local Privoxy Support" box on all generated pages will not be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shown.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#admin-address privoxy-admin@example.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+admin-address root@@PROXY_HOSTNAME@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1.4. proxy-info-url
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A URL to documentation about the local Privoxy setup,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration or policies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# URL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unset
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No link to local documentation is displayed on error pages and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the CGI user interface.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If both admin-address and proxy-info-url are unset, the whole
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "Local Privoxy Support" box on all generated pages will not be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shown.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This URL shouldn't be blocked ;-)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#proxy-info-url http://www.example.com/proxy-service.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2. CONFIGURATION AND LOG FILE LOCATIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ========================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy can (and normally does) use a number of other files for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# additional configuration, help and logging. This section of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration file tells Privoxy where to find those other files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The user running Privoxy, must have read permission for all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration files, and write permission to any files that would
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be modified, such as log files and actions files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2.1. confdir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =============
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The directory where the other configuration files are located.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Path name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# /etc/privoxy (Unix) or Privoxy installation dir (Windows)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mandatory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No trailing "/", please.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+confdir /opt/local/etc/privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2.2. templdir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==============
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An alternative directory where the templates are loaded from.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Path name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# unset
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The templates are assumed to be located in confdir/template.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy's original templates are usually overwritten with each
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# update. Use this option to relocate customized templates that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# should be kept. As template variables might change between
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# updates, you shouldn't expect templates to work with Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# releases other than the one they were part of, though.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#templdir .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2.3. temporary-directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =========================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A directory where Privoxy can create temporary files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Path name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# unset
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No temporary files are created, external filters don't work.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To execute external filters, Privoxy has to create temporary
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# files. This directive specifies the directory the temporary
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# files should be written to.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It should be a directory only Privoxy (and trusted users) can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#temporary-directory .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2.4. logdir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ============
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The directory where all logging takes place (i.e. where the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logfile is located).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Path name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# /var/log/privoxy (Unix) or Privoxy installation dir (Windows)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mandatory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No trailing "/", please.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+logdir /opt/local/var/log/privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2.5. actionsfile
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The actions file(s) to use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Complete file name, relative to confdir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default values:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# match-all.action # Actions that are applied to all sites and maybe overruled later on.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default.action # Main actions file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user.action # User customizations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No actions are taken at all. More or less neutral proxying.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple actionsfile lines are permitted, and are in fact
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# recommended!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default values are default.action, which is the "main"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# actions file maintained by the developers, and user.action,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# where you can make your personal additions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Actions files contain all the per site and per URL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration for ad blocking, cookie management, privacy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# considerations, etc.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+actionsfile default.action # Main actions file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+actionsfile user.action # User customizations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+actionsfile @PREFIX@/etc/adblock2privoxy/privoxy/ab2p.system.action
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+actionsfile @PREFIX@/etc/adblock2privoxy/privoxy/ab2p.action
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2.6. filterfile
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The filter file(s) to use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# File name, relative to confdir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default.filter (Unix) or default.filter.txt (Windows)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No textual content filtering takes place, i.e. all +filter{name}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# actions in the actions files are turned neutral.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple filterfile lines are permitted.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The filter files contain content modification rules that use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# regular expressions. These rules permit powerful changes on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the content of Web pages, and optionally the headers as well,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# e.g., you could try to disable your favorite JavaScript
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# annoyances, re-write the actual displayed text, or just have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# some fun playing buzzword bingo with web pages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The +filter{name} actions rely on the relevant filter (name)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to be defined in a filter file!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A pre-defined filter file called default.filter that contains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a number of useful filters for common problems is included in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the distribution. See the section on the filter action for a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# list.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is recommended to place any locally adapted filters into a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# separate file, such as user.filter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+filterfile default.filter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+filterfile user.filter # User customizations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+filterfile @PREFIX@/etc/adblock2privoxy/privoxy/ab2p.system.filter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+filterfile @PREFIX@/etc/adblock2privoxy/privoxy/ab2p.filter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2.7. logfile
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =============
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The log file to use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# File name, relative to logdir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unset (commented out). When activated: logfile (Unix) or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# privoxy.log (Windows).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No logfile is written.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The logfile is where all logging and error messages are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# written. The level of detail and number of messages are set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with the debug option (see below). The logfile can be useful
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for tracking down a problem with Privoxy (e.g., it's not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# blocking an ad you think it should block) and it can help you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to monitor what your browser is doing.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Depending on the debug options below, the logfile may be a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# privacy risk if third parties can get access to it. As most
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# users will never look at it, Privoxy only logs fatal errors by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For most troubleshooting purposes, you will have to change
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that, please refer to the debugging section for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Any log files must be writable by whatever user Privoxy is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# being run as (on Unix, default user id is "privoxy").
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To prevent the logfile from growing indefinitely, it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# recommended to periodically rotate or shorten it. Many
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# operating systems support log rotation out of the box, some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# require additional software to do it. For details, please
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# refer to the documentation for your operating system.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+logfile logfile
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2.8. trustfile
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ===============
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The name of the trust file to use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# File name, relative to confdir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unset (commented out). When activated: trust (Unix) or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# trust.txt (Windows)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The entire trust mechanism is disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The trust mechanism is an experimental feature for building
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# white-lists and should be used with care. It is NOT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# recommended for the casual user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you specify a trust file, Privoxy will only allow access to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sites that are specified in the trustfile. Sites can be listed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in one of two ways:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Prepending a ~ character limits access to this site only (and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# any sub-paths within this site), e.g. ~www.example.com allows
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access to ~www.example.com/features/news.html, etc.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Or, you can designate sites as trusted referrers, by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# prepending the name with a + character. The effect is that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access to untrusted sites will be granted -- but only if a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# link from this trusted referrer was used to get there. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# link target will then be added to the "trustfile" so that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# future, direct accesses will be granted. Sites added via this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mechanism do not become trusted referrers themselves (i.e.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# they are added with a ~ designation). There is a limit of 512
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# such entries, after which new entries will not be made.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you use the + operator in the trust file, it may grow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# considerably over time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is recommended that Privoxy be compiled with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --disable-force, --disable-toggle and --disable-editor
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# options, if this feature is to be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Possible applications include limiting Internet access for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# children.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#trustfile trust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3. DEBUGGING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =============
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# These options are mainly useful when tracing a problem. Note that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you might also want to invoke Privoxy with the --no-daemon command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# line option when debugging.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3.1. debug
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ===========
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Key values that determine what information gets logged.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Integer values
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 (i.e.: only fatal errors (that cause Privoxy to exit) are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logged)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value is used (see above).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The available debug levels are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 1 # Log the destination for each request Privoxy let through. See also debug 1024.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 2 # show each connection status
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 4 # show I/O status
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 8 # show header parsing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 16 # log all data written to the network
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 32 # debug force feature
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 64 # debug regular expression filters
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 128 # debug redirects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 256 # debug GIF de-animation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 512 # Common Log Format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 2048 # CGI user interface
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 4096 # Startup banner and warnings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 8192 # Non-fatal errors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 32768 # log all data read from the network
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# debug 65536 # Log the applying actions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To select multiple debug levels, you can either add them or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use multiple debug lines.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A debug level of 1 is informative because it will show you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# each request as it happens. 1, 1024, 4096 and 8192 are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# recommended so that you will notice when things go wrong. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# other levels are probably only of interest if you are hunting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# down a specific problem. They can produce a hell of an output
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (especially 16).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you are used to the more verbose settings, simply enable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the debug lines below again.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to use pure CLF (Common Log Format), you should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set "debug 512" ONLY and not enable anything else.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy has a hard-coded limit for the length of log messages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If it's reached, messages are logged truncated and marked with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "... [too long, truncated]".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Please don't file any support requests without trying to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reproduce the problem with increased debug level first. Once
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you read the log messages, you may even be able to solve the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# problem on your own.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#debug 1 # Log the destination for each request Privoxy let through. See also debug 1024.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#debug 1024 # Actions that are applied to all sites and maybe overruled later on.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#debug 4096 # Startup banner and warnings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#debug 8192 # Non-fatal errors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3.2. single-threaded
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =====================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether to run only one server thread.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1 or 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multi-threaded (or, where unavailable: forked) operation, i.e.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the ability to serve multiple requests simultaneously.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is only there for debugging purposes. It will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# drastically reduce performance.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#single-threaded 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3.3. hostname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==============
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The hostname shown on the CGI pages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Text
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unset
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The hostname provided by the operating system is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# On some misconfigured systems resolving the hostname fails or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# takes too much time and slows Privoxy down. Setting a fixed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hostname works around the problem.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In other circumstances it might be desirable to show a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hostname other than the one returned by the operating system.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example if the system has several different hostnames and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you don't want to use the first one.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that Privoxy does not validate the specified hostname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+hostname @PROXY_HOSTNAME@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4. ACCESS CONTROL AND SECURITY
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ===============================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This section of the config file controls the security-relevant
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# aspects of Privoxy's configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4.1. listen-address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The address and TCP port on which Privoxy will listen for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [IP-Address]:Port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [Hostname]:Port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 127.0.0.1:8118
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Bind to 127.0.0.1 (IPv4 localhost), port 8118. This is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# suitable and recommended for home users who run Privoxy on the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# same machine as their browser.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You will need to configure your browser(s) to this proxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# address and port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you already have another service running on port 8118, or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if you want to serve requests from other machines (e.g. on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# your local network) as well, you will need to override the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can use this statement multiple times to make Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# listen on more ports or more IP addresses. Suitable if your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# operating system does not support sharing IPv6 and IPv4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# protocols on the same socket.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If a hostname is used instead of an IP address, Privoxy will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# try to resolve it to an IP address and if there are multiple,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use the first one returned.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the address for the hostname isn't already known on the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# system (for example because it's in /etc/hostname), this may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# result in DNS traffic.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the specified address isn't available on the system, or if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the hostname can't be resolved, Privoxy will fail to start.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IPv6 addresses containing colons have to be quoted by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# brackets. They can only be used if Privoxy has been compiled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with IPv6 support. If you aren't sure if your version supports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it, have a look at http://config.privoxy.org/show-status.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some operating systems will prefer IPv6 to IPv4 addresses even
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if the system has no IPv6 connectivity which is usually not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expected by the user. Some even rely on DNS to resolve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# localhost which mean the "localhost" address used may not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# actually be local.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is therefore recommended to explicitly configure the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intended IP address instead of relying on the operating
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# system, unless there's a strong reason not to.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you leave out the address, Privoxy will bind to all IPv4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# interfaces (addresses) on your machine and may become
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reachable from the Internet and/or the local network. Be aware
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that some GNU/Linux distributions modify that behaviour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# without updating the documentation. Check for non-standard
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# patches if your Privoxy version behaves differently.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you configure Privoxy to be reachable from the network,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# consider using access control lists (ACL's, see below), and/or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a firewall.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you open Privoxy to untrusted users, you will also want to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# make sure that the following actions are disabled:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enable-edit-actions and enable-remote-toggle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Suppose you are running Privoxy on a machine which has the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# address 192.168.0.1 on your local private network
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (192.168.0.0) and has another outside connection with a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# different address. You want it to serve requests from inside
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# listen-address 192.168.0.1:8118
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Suppose you are running Privoxy on an IPv6-capable machine and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you want it to listen on the IPv6 address of the loopback
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# device:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# listen-address [::1]:8118
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+listen-address @PROXY_SERVER@:8118
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4.2. toggle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ============
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Initial state of "toggle" status
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1 or 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Act as if toggled on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to 0, Privoxy will start in "toggled off" mode, i.e.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mostly behave like a normal, content-neutral proxy with both
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ad blocking and content filtering disabled. See
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enable-remote-toggle below.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+toggle 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4.3. enable-remote-toggle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==========================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether or not the web-based toggle feature may be used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The web-based toggle feature is disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When toggled off, Privoxy mostly acts like a normal,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# content-neutral proxy, i.e. doesn't block ads or filter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# content.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Access to the toggle feature can not be controlled separately
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by "ACLs" or HTTP authentication, so that everybody who can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access Privoxy (see "ACLs" and listen-address above) can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# toggle it for all users. So this option is not recommended for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# multi-user environments with untrusted users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that malicious client side code (e.g Java) is also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# capable of using this option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# As a lot of Privoxy users don't read documentation, this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# feature is disabled by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that you must have compiled Privoxy with support for this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# feature, otherwise this option has no effect.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+enable-remote-toggle 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4.4. enable-remote-http-toggle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ===============================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether or not Privoxy recognizes special HTTP headers to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# change its behaviour.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy ignores special HTTP headers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When toggled on, the client can change Privoxy's behaviour by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# setting special HTTP headers. Currently the only supported
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# special header is "X-Filter: No", to disable filtering for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ongoing request, even if it is enabled in one of the action
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This feature is disabled by default. If you are using Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in a environment with trusted clients, you may enable this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# feature at your discretion. Note that malicious client side
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# code (e.g Java) is also capable of using this feature.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option will be removed in future releases as it has been
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# obsoleted by the more general header taggers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+enable-remote-http-toggle 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4.5. enable-edit-actions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =========================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether or not the web-based actions file editor may be used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The web-based actions file editor is disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Access to the editor can not be controlled separately by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "ACLs" or HTTP authentication, so that everybody who can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access Privoxy (see "ACLs" and listen-address above) can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modify its configuration for all users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is not recommended for environments with untrusted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# users and as a lot of Privoxy users don't read documentation,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this feature is disabled by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that malicious client side code (e.g Java) is also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# capable of using the actions editor and you shouldn't enable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this options unless you understand the consequences and are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sure your browser is configured correctly.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that you must have compiled Privoxy with support for this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# feature, otherwise this option has no effect.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+enable-edit-actions 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4.6. enforce-blocks
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether the user is allowed to ignore blocks and can "go there
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# anyway".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Blocks are not enforced.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy is mainly used to block and filter requests as a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service to the user, for example to block ads and other junk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that clogs the pipes. Privoxy's configuration isn't perfect
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and sometimes innocent pages are blocked. In this situation it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# makes sense to allow the user to enforce the request and have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy ignore the block.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In the default configuration Privoxy's "Blocked" page contains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a "go there anyway" link to adds a special string (the force
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# prefix) to the request URL. If that link is used, Privoxy will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# detect the force prefix, remove it again and let the request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pass.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Of course Privoxy can also be used to enforce a network
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# policy. In that case the user obviously should not be able to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bypass any blocks, and that's what the "enforce-blocks" option
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is for. If it's enabled, Privoxy hides the "go there anyway"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# link. If the user adds the force prefix by hand, it will not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be accepted and the circumvention attempt is logged.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enforce-blocks 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+enforce-blocks 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4.7. ACLs: permit-access and deny-access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =========================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Who can access what.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# src_addr[:port][/src_masklen] [dst_addr[:port][/dst_masklen]]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Where src_addr and dst_addr are IPv4 addresses in dotted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# decimal notation or valid DNS names, port is a port number,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and src_masklen and dst_masklen are subnet masks in CIDR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# notation, i.e. integer values from 2 to 30 representing the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# length (in bits) of the network address. The masks and the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# whole destination part are optional.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If your system implements RFC 3493, then src_addr and dst_addr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can be IPv6 addresses delimeted by brackets, port can be a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# number or a service name, and src_masklen and dst_masklen can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be a number from 0 to 128.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unset
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If no port is specified, any port will match. If no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# src_masklen or src_masklen is given, the complete IP address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has to match (i.e. 32 bits for IPv4 and 128 bits for IPv6).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't restrict access further than implied by listen-address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Access controls are included at the request of ISPs and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# systems administrators, and are not usually needed by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# individual users. For a typical home user, it will normally
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# suffice to ensure that Privoxy only listens on the localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (127.0.0.1) or internal (home) network address by means of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# listen-address option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Please see the warnings in the FAQ that Privoxy is not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intended to be a substitute for a firewall or to encourage
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# anyone to defer addressing basic security weaknesses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple ACL lines are OK. If any ACLs are specified, Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only talks to IP addresses that match at least one
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# permit-access line and don't match any subsequent deny-access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# line. In other words, the last match wins, with the default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# being deny-access.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If Privoxy is using a forwarder (see forward below) for a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# particular destination URL, the dst_addr that is examined is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the address of the forwarder and NOT the address of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ultimate target. This is necessary because it may be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# impossible for the local Privoxy to determine the IP address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the ultimate target (that's often what gateways are used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You should prefer using IP addresses over DNS names, because
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the address lookups take time. All DNS names must resolve! You
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can not use domain patterns like "*.org" or partial domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# names. If a DNS name resolves to multiple IP addresses, only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the first one is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some systems allow IPv4 clients to connect to IPv6 server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sockets. Then the client's IPv4 address will be translated by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the system into IPv6 address space with special prefix
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ::ffff:0:0/96 (so called IPv4 mapped IPv6 address). Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can handle it and maps such ACL addresses automatically.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Denying access to particular sites by ACL may have undesired
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# side effects if the site in question is hosted on a machine
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which also hosts other sites (most sites are).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Explicitly define the default behavior if no ACL and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# listen-address are set: "localhost" is OK. The absence of a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dst_addr implies that all destination addresses are OK:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# permit-access localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow any host on the same class C subnet as www.privoxy.org
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access to nothing but www.example.com (or other domains hosted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the same system):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# permit-access www.privoxy.org/24 www.example.com/32
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow access from any host on the 26-bit subnet 192.168.45.64
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to anywhere, with the exception that 192.168.45.73 may not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access the IP address behind www.dirty-stuff.example.com:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# permit-access 192.168.45.64/26
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deny-access 192.168.45.73 www.dirty-stuff.example.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow access from the IPv4 network 192.0.2.0/24 even if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# listening on an IPv6 wild card address (not supported on all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# platforms):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# permit-access 192.0.2.0/24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is equivalent to the following line even if listening on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an IPv4 address (not supported on all platforms):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# permit-access [::ffff:192.0.2.0]/120
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4.8. buffer-limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum size of the buffer for content filtering.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Size in Kbytes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use a 4MB (4096 KB) limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For content filtering, i.e. the +filter and +deanimate-gif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# actions, it is necessary that Privoxy buffers the entire
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# document body. This can be potentially dangerous, since a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server could just keep sending data indefinitely and wait for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# your RAM to exhaust -- with nasty consequences. Hence this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When a document buffer size reaches the buffer-limit, it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flushed to the client unfiltered and no further attempt to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# filter the rest of the document is made. Remember that there
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may be multiple threads running, which might require up to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# buffer-limit Kbytes each, unless you have enabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "single-threaded" above.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+buffer-limit 4096
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4.9. enable-proxy-authentication-forwarding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ============================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether or not proxy authentication through Privoxy should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# work.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Proxy authentication headers are removed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy itself does not support proxy authentication, but can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow clients to authenticate against Privoxy's parent proxy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default Privoxy (3.0.21 and later) don't do that and remove
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Proxy-Authorization headers in requests and Proxy-Authenticate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers in responses to make it harder for malicious sites to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# trick inexperienced users into providing login information.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this option is enabled the headers are forwarded.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enabling this option is not recommended if there is no parent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxy that requires authentication or if the local network
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# between Privoxy and the parent proxy isn't trustworthy. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxy authentication is only required for some requests, it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# recommended to use a client header filter to remove the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authentication headers for requests where they aren't needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+enable-proxy-authentication-forwarding 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 5. FORWARDING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==============
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This feature allows routing of HTTP requests through a chain of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# multiple proxies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Forwarding can be used to chain Privoxy with a caching proxy to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# speed up browsing. Using a parent proxy may also be necessary if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the machine that Privoxy runs on has no direct Internet access.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that parent proxies can severely decrease your privacy level.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example a parent proxy could add your IP address to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request headers and if it's a caching proxy it may add the "Etag"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# header to revalidation requests again, even though you configured
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy to remove it. It may also ignore Privoxy's header time
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# randomization and use the original values which could be used by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the server as cookie replacement to track your steps between
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# visits.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also specified here are SOCKS proxies. Privoxy supports the SOCKS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4 and SOCKS 4A protocols.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 5.1. forward
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =============
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To which parent HTTP proxy specific requests should be routed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# target_pattern http_parent[:port]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# where target_pattern is a URL pattern that specifies to which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests (i.e. URLs) this forward rule shall apply. Use / to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# denote "all URLs". http_parent[:port] is the DNS name or IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# address of the parent HTTP proxy through which the requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# should be forwarded, optionally followed by its listening port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (default: 8000). Use a single dot (.) to denote "no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forwarding".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unset
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't use parent HTTP proxies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If http_parent is ".", then requests are not forwarded to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# another HTTP proxy but are made directly to the web servers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_parent can be a numerical IPv6 address (if RFC 3493 is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# implemented). To prevent clashes with the port delimiter, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# whole IP address has to be put into brackets. On the other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hand a target_pattern containing an IPv6 address has to be put
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# into angle brackets (normal brackets are reserved for regular
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expressions already).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple lines are OK, they are checked in sequence, and the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# last match wins.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Everything goes to an example parent proxy, except SSL on port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 443 (which it doesn't handle):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward / parent-proxy.example.org:8080
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward :443 .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Everything goes to our example ISP's caching proxy, except for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests to that ISP's sites:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward / caching-proxy.isp.example.net:8000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward .isp.example.net .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Parent proxy specified by an IPv6 address:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward / [2001:DB8::1]:8000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Suppose your parent proxy doesn't support IPv6:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward / parent-proxy.example.org:8000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward ipv6-server.example.org .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward <[2-3][0-9a-f][0-9a-f][0-9a-f]:*> .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://www.christianschenk.org/blog/enhancing-your-privacy-using-squid-and-privoxy/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+forward / .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+forward :443 .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# I2P
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#forward .i2p @PROXY_HOSTNAME@:4443
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 5.2. forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Through which SOCKS proxy (and optionally to which parent HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxy) specific requests should be routed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# target_pattern socks_proxy[:port] http_parent[:port]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# where target_pattern is a URL pattern that specifies to which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests (i.e. URLs) this forward rule shall apply. Use / to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# denote "all URLs". http_parent and socks_proxy are IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# addresses in dotted decimal notation or valid DNS names (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_parent may be "." to denote "no HTTP forwarding"), and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the optional port parameters are TCP ports, i.e. integer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# values from 1 to 65535
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unset
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't use SOCKS proxies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple lines are OK, they are checked in sequence, and the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# last match wins.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The difference between forward-socks4 and forward-socks4a is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that in the SOCKS 4A protocol, the DNS resolution of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# target hostname happens on the SOCKS server, while in SOCKS 4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it happens locally.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With forward-socks5 the DNS resolution will happen on the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# remote server as well.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward-socks5t works like vanilla forward-socks5 but lets
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy additionally use Tor-specific SOCKS extensions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Currently the only supported SOCKS extension is optimistic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# data which can reduce the latency for the first request made
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on a newly created connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# socks_proxy and http_parent can be a numerical IPv6 address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (if RFC 3493 is implemented). To prevent clashes with the port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delimiter, the whole IP address has to be put into brackets.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# On the other hand a target_pattern containing an IPv6 address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has to be put into angle brackets (normal brackets are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reserved for regular expressions already).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If http_parent is ".", then requests are not forwarded to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# another HTTP proxy but are made (HTTP-wise) directly to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# web servers, albeit through a SOCKS proxy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# From the company example.com, direct connections are made to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# all "internal" domains, but everything outbound goes through
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their ISP's proxy by way of example.com's corporate SOCKS 4A
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gateway to the Internet.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward-socks4a / socks-gw.example.com:1080 www-cache.isp.example.net:8080
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward .example.com .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A rule that uses a SOCKS 4 gateway for all destinations but no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP parent looks like this:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward-socks4 / socks-gw.example.com:1080 .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To chain Privoxy and Tor, both running on the same system, you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# would use something like:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward-socks5t / 127.0.0.1:9050 .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that if you got Tor through one of the bundles, you may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have to change the port from 9050 to 9150 (or even another
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# one). For details, please check the documentation on the Tor
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# website.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The public Tor network can't be used to reach your local
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# network, if you need to access local servers you therefore
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# might want to make some exceptions:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward 192.168.*.*/ .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward 10.*.*.*/ .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward 127.*.*.*/ .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unencrypted connections to systems in these address ranges
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be as (un)secure as the local network is, but the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# alternative is that you can't reach the local network through
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy at all. Of course this may actually be desired and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# there is no reason to make these exceptions if you aren't sure
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you need them.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you also want to be able to reach servers in your local
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# network by using their names, you will need additional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# exceptions that look like this:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward localhost/ .
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 5.3. forwarded-connect-retries
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ===============================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How often Privoxy retries if a forwarded connection request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Number of retries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Connections forwarded through other proxies are treated like
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# direct connections and no retry attempts are made.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forwarded-connect-retries is mainly interesting for socks4a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections, where Privoxy can't detect why the connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# failed. The connection might have failed because of a DNS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# timeout in which case a retry makes sense, but it might also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have failed because the server doesn't exist or isn't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reachable. In this case the retry will just delay the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# appearance of Privoxy's error message.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that in the context of this option, "forwarded
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections" includes all connections that Privoxy forwards
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# through other proxies. This option is not limited to the HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CONNECT method.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only use this option, if you are getting lots of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forwarding-related error messages that go away when you try
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# again manually. Start with a small value and check Privoxy's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logfile from time to time, to see how many retries are usually
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forwarded-connect-retries 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+forwarded-connect-retries 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6. MISCELLANEOUS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.1. accept-intercepted-requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether intercepted requests should be treated as valid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only proxy requests are accepted, intercepted requests are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# treated as invalid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you don't trust your clients and want to force them to use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy, enable this option and configure your packet filter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to redirect outgoing HTTP connections into Privoxy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that intercepting encrypted connections (HTTPS) isn't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Make sure that Privoxy's own requests aren't redirected as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# well. Additionally take care that Privoxy can't intentionally
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect to itself, otherwise you could run into redirection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# loops if Privoxy's listening port is reachable by the outside
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or an attacker has access to the pages you visit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you are running Privoxy as intercepting proxy without being
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# able to intercept all client requests you may want to adjust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the CGI templates to make sure they don't reference content
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from config.privoxy.org.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accept-intercepted-requests 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+accept-intercepted-requests 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.2. allow-cgi-request-crunching
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether requests to Privoxy's CGI pages can be blocked or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redirected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy ignores block and redirect actions for its CGI pages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default Privoxy ignores block or redirect actions for its
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CGI pages. Intercepting these requests can be useful in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# multi-user setups to implement fine-grained access control,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but it can also render the complete web interface useless and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# make debugging problems painful if done without care.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't enable this option unless you're sure that you really
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# need it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow-cgi-request-crunching 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+allow-cgi-request-crunching 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.3. split-large-forms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =======================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether the CGI interface should stay compatible with broken
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The CGI form generate long GET URLs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy's CGI forms can lead to rather long URLs. This isn't a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# problem as far as the HTTP standard is concerned, but it can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# confuse clients with arbitrary URL length limitations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enabling split-large-forms causes Privoxy to divide big forms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# into smaller ones to keep the URL length down. It makes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# editing a lot less convenient and you can no longer submit all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# changes at once, but at least it works around this browser
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bug.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you don't notice any editing problems, there is no reason
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to enable this option, but if one of the submit buttons
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# appears to be broken, you should give it a try.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# split-large-forms 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+split-large-forms 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.4. keep-alive-timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ========================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Number of seconds after which an open connection will no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# longer be reused.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time in seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# None
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Connections are not kept alive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option allows clients to keep the connection to Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# alive. If the server supports it, Privoxy will keep the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection to the server alive as well. Under certain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# circumstances this may result in speed-ups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, Privoxy will close the connection to the server if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the client connection gets closed, or if the specified timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has been reached without a new request coming in. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# behaviour can be changed with the connection-sharing option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option has no effect if Privoxy has been compiled without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# keep-alive support.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that a timeout of five seconds as used in the default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration file significantly decreases the number of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections that will be reused. The value is used because
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# some browsers limit the number of connections they open to a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# single host and apply the same limit to proxies. This can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# result in a single website "grabbing" all the connections the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# browser allows, which means connections to other websites
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can't be opened until the connections currently in use time
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# out.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several users have reported this as a Privoxy bug, so the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default value has been reduced. Consider increasing it to 300
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# seconds or even more if you think your browser can handle it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If your browser appears to be hanging, it probably can't.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# keep-alive-timeout 300
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+keep-alive-timeout 300
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.5. tolerate-pipelining
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =========================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether or not pipelined requests should be served.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or 1.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# None
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If Privoxy receives more than one request at once, it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# terminates the client connection after serving the first one.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy currently doesn't pipeline outgoing requests, thus
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allowing pipelining on the client connection is not guaranteed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to improve the performance.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default Privoxy tries to discourage clients from pipelining
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by discarding aggressively pipelined requests, which forces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the client to resend them through a new connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option lets Privoxy tolerate pipelining. Whether or not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that improves performance mainly depends on the client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you are seeing problems with pages not properly loading,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disabling this option could work around the problem.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tolerate-pipelining 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#tolerate-pipelining 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.6. default-server-timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ============================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Assumed server-side keep-alive timeout if not specified by the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time in seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# None
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Connections for which the server didn't specify the keep-alive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# timeout are not reused.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enabling this option significantly increases the number of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections that are reused, provided the keep-alive-timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option is also enabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# While it also increases the number of connections problems
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when Privoxy tries to reuse a connection that already has been
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# closed on the server side, or is closed while Privoxy is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# trying to reuse it, this should only be a problem if it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happens for the first request sent by the client. If it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happens for requests on reused client connections, Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will simply close the connection and the client is supposed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# retry the request without bothering the user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enabling this option is therefore only recommended if the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection-sharing option is disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is an error to specify a value larger than the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# keep-alive-timeout value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option has no effect if Privoxy has been compiled without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# keep-alive support.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default-server-timeout 60
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+default-server-timeout 60
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.7. connection-sharing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ========================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether or not outgoing connections that have been kept alive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# should be shared between different incoming connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# None
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Connections are not shared.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option has no effect if Privoxy has been compiled without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# keep-alive support, or if it's disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that reusing connections doesn't necessary cause
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# speedups. There are also a few privacy implications you should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be aware of.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this option is effective, outgoing connections are shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# between clients (if there are more than one) and closing the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# browser that initiated the outgoing connection does no longer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# affect the connection between Privoxy and the server unless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the client's request hasn't been completed yet.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the outgoing connection is idle, it will not be closed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# until either Privoxy's or the server's timeout is reached.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# While it's open, the server knows that the system running
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy is still there.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If there are more than one client (maybe even belonging to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# multiple users), they will be able to reuse each others
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections. This is potentially dangerous in case of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authentication schemes like NTLM where only the connection is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authenticated, instead of requiring authentication for each
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If there is only a single client, and if said client can keep
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections alive on its own, enabling this option has next to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no effect. If the client doesn't support connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# keep-alive, enabling this option may make sense as it allows
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy to keep outgoing connections alive even if the client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# itself doesn't support it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You should also be aware that enabling this option increases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the likelihood of getting the "No server or forwarder data"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# error message, especially if you are using a slow connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to the Internet.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option should only be used by experienced users who
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# understand the risks and can weight them against the benefits.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection-sharing 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+connection-sharing 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.8. socket-timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ====================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Number of seconds after which a socket times out if no data is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# received.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time in seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# None
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A default value of 300 seconds is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is quite high and you probably want to reduce it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you aren't using an occasionally slow proxy like Tor,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reducing it to a few seconds should be fine.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# socket-timeout 300
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+socket-timeout 60
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.9. max-client-connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ============================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum number of client connections that will be served.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Positive number.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 128
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Connections are served until a resource limit is reached.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy creates one thread (or process) for every incoming
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client connection that isn't rejected based on the access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# control settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the system is powerful enough, Privoxy can theoretically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deal with several hundred (or thousand) connections at the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# same time, but some operating systems enforce resource limits
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by shutting down offending processes and their default limits
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may be below the ones Privoxy would require under heavy load.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Configuring Privoxy to enforce a connection limit below the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# thread or process limit used by the operating system makes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sure this doesn't happen. Simply increasing the operating
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# system's limit would work too, but if Privoxy isn't the only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# application running on the system, you may actually want to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limit the resources used by Privoxy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If Privoxy is only used by a single trusted user, limiting the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# number of client connections is probably unnecessary. If there
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are multiple possibly untrusted users you probably still want
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to additionally use a packet filter to limit the maximal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# number of incoming connections per client. Otherwise a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# malicious user could intentionally create a high number of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections to prevent other users from using Privoxy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Obviously using this option only makes sense if you choose a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limit below the one enforced by the operating system.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# One most POSIX-compliant systems Privoxy can't properly deal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with more than FD_SETSIZE file descriptors at the same time
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and has to reject connections if the limit is reached. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will likely change in a future version, but currently this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limit can't be increased without recompiling Privoxy with a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# different FD_SETSIZE limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max-client-connections 256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+max-client-connections 256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.10. handle-as-empty-doc-returns-ok
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =====================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The status code Privoxy returns for pages blocked with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +handle-as-empty-document.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy returns a status 403(forbidden) for all blocked pages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if set:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy returns a status 200(OK) for pages blocked with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +handle-as-empty-document and a status 403(Forbidden) for all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# other blocked pages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive was added as a work-around for Firefox bug
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 492459: "Websites are no longer rendered if SSL requests for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# JavaScripts are blocked by a proxy."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (https://bugzilla.mozilla.org/show_bug.cgi?id=492459), the bug
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has been fixed for quite some time, but this directive is also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# useful to make it harder for websites to detect whether or not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# resources are being blocked.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#handle-as-empty-doc-returns-ok 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.11. enable-compression
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =========================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether or not buffered content is compressed before delivery.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if unset:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy does not compress buffered content.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Effect if set:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy compresses buffered content before delivering it to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the client, provided the client supports it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive is only supported if Privoxy has been compiled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with FEATURE_COMPRESSION, which should not to be confused with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FEATURE_ZLIB.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Compressing buffered content is mainly useful if Privoxy and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the client are running on different systems. If they are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# running on the same system, enabling compression is likely to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# slow things down. If you didn't measure otherwise, you should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# assume that it does and keep this option disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy will not compress buffered content below a certain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# length.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#enable-compression 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.12. compression-level
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ========================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The compression level that is passed to the zlib library when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# compressing buffered content.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Positive number ranging from 0 to 9.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Compressing the data more takes usually longer than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# compressing it less or not compressing it at all. Which level
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is best depends on the connection between Privoxy and the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client. If you can't be bothered to benchmark it for yourself,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you should stick with the default and keep compression
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If compression is disabled, the compression level is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# irrelevant.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Best speed (compared to the other levels)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# compression-level 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Best compression
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# compression-level 9
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # No compression. Only useful for testing as the added header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # slightly increases the amount of data that has to be sent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # If your benchmark shows that using this compression level
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # is superior to using no compression at all, the benchmark
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # is likely to be flawed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# compression-level 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#compression-level 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.13. client-header-order
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==========================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The order in which client headers are sorted before forwarding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# them.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client header names delimited by spaces or tabs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# None
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default Privoxy leaves the client headers in the order they
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# were sent by the client. Headers are modified in-place, new
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers are added at the end of the already existing headers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The header order can be used to fingerprint client requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# independently of other headers like the User-Agent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive allows to sort the headers differently to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# better mimic a different User-Agent. Client headers will be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# emitted in the order given, headers whose name isn't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# explicitly specified are added at the end.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that sorting headers in an uncommon way will make
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fingerprinting actually easier. Encrypted headers are not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# affected by this directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#client-header-order Host \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Accept \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Accept-Language \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Accept-Encoding \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Proxy-Connection \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Referer \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cookie \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DNT \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If-Modified-Since \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cache-Control \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Content-Length \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Content-Type
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.14. client-specific-tag
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==========================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The name of a tag that will always be set for clients that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requested it through the webinterface.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Tag name followed by a description that will be shown in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# webinterface
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# None
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +-----------------------------------------------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# | Warning |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# |-----------------------------------------------------|
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# |This is an experimental feature. The syntax is likely|
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# |to change in future versions. |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +-----------------------------------------------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Client-specific tags allow Privoxy admins to create different
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# profiles and let the users chose which one they want without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# impacting other users.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# One use case is allowing users to circumvent certain blocks
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# without having to allow them to circumvent all blocks. This is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not possible with the enable-remote-toggle feature because it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# would bluntly disable all blocks for all users and also affect
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# other actions like filters. It also is set globally which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# renders it useless in most multi-user setups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# After a client-specific tag has been defined with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client-specific-tag directive, action sections can be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# activated based on the tag by using a CLIENT-TAG pattern. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CLIENT-TAG pattern is evaluated at the same priority as URL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# patterns, as a result the last matching pattern wins. Tags
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that are created based on client or server headers are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# evaluated later on and can overrule CLIENT-TAG and URL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# patterns!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The tag is set for all requests that come from clients that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requested it to be set. Note that "clients" are differentiated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by IP address, if the IP address changes the tag has to be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requested again.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Clients can request tags to be set by using the CGI interface
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://config.privoxy.org/client-tags. The specific tag
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# description is only used on the web page and should be phrased
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in away that the user understand the effect of the tag.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Define a couple of tags, the described effect requires action sections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # that are enabled based on CLIENT-TAG patterns.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disable-content-filters Disable content-filters but do not affect other actions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.15. client-tag-lifetime
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==========================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How long a temporarily enabled tag remains enabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time in seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 60
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +-----------------------------------------------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# | Warning |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# |-----------------------------------------------------|
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# |This is an experimental feature. The syntax is likely|
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# |to change in future versions. |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +-----------------------------------------------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In case of some tags users may not want to enable them
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# permanently, but only for a short amount of time, for example
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to circumvent a block that is the result of an overly-broad
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# URL pattern.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The CGI interface http://config.privoxy.org/client-tags
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# therefore provides a "enable this tag temporarily" option. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it is used, the tag will be set until the client-tag-lifetime
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is over.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Increase the time to life for temporarily enabled tags to 3 minutes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client-tag-lifetime 180
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 6.16. trust-x-forwarded-for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ============================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether or not Privoxy should use IP addresses specified with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the X-Forwarded-For header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type of value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0 or one
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default value:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Notes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +-----------------------------------------------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# | Warning |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# |-----------------------------------------------------|
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# |This is an experimental feature. The syntax is likely|
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# |to change in future versions. |
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# +-----------------------------------------------------+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If clients reach Privoxy through another proxy, for example a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# load balancer, Privoxy can't tell the client's IP address from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the connection. If multiple clients use the same proxy, they
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will share the same client tag settings which is usually not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# desired.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option lets Privoxy use the X-Forwarded-For header value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as client IP address. If the proxy sets the header, multiple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clients using the same proxy do not share the same client tag
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option should only be enabled if Privoxy can only be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reached through a proxy and if the proxy can be trusted to set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the header correctly. It is recommended that ACL are used to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# make sure only trusted systems can reach Privoxy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If access to Privoxy isn't limited to trusted systems, this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option would allow malicious clients to change the client tags
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for other clients or increase Privoxy's memory requirements by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# registering lots of client tag settings for clients that don't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# exist.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Allow systems that can reach Privoxy to provide the client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # IP address with a X-Forwarded-For header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# trust-x-forwarded-for 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 7. WINDOWS GUI OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# =======================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Privoxy has a number of options specific to the Windows GUI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# interface:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If "activity-animation" is set to 1, the Privoxy icon will animate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when "Privoxy" is active. To turn off, set to 0.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#activity-animation 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If "log-messages" is set to 1, Privoxy copies log messages to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# console window. The log detail depends on the debug directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#log-messages 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If "log-buffer-size" is set to 1, the size of the log buffer, i.e.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the amount of memory used for the log messages displayed in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# console window, will be limited to "log-max-lines" (see below).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Warning: Setting this to 0 will result in the buffer to grow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# infinitely and eat up all your memory!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#log-buffer-size 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# log-max-lines is the maximum number of lines held in the log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# buffer. See above.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#log-max-lines 200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If "log-highlight-messages" is set to 1, Privoxy will highlight
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# portions of the log messages with a bold-faced font:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#log-highlight-messages 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The font used in the console window:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#log-font-name Comic Sans MS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Font size used in the console window:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#log-font-size 8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "show-on-task-bar" controls whether or not Privoxy will appear as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a button on the Task bar when minimized:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#show-on-task-bar 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If "close-button-minimizes" is set to 1, the Windows close button
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will minimize Privoxy instead of closing the program (close with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the exit option on the File menu).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#close-button-minimizes 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The "hide-console" option is specific to the MS-Win console
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# version of Privoxy. If this option is used, Privoxy will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disconnect from and hide the command console.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#hide-console
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/macos-fortress/files/privoxy-config.patch b/net/macos-fortress/files/privoxy-config.patch
</span><span style='display:block; white-space:pre;color:#808080;'>index da47ab5..68e2917 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/macos-fortress/files/privoxy-config.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/macos-fortress/files/privoxy-config.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,5 +1,5 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- ./config 2019-10-22 22:49:35.000000000 -0400
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ ./config 2019-10-22 22:54:09.000000000 -0400
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- ./config 2020-04-03 08:30:39.000000000 -0400
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./config 2020-04-03 08:33:32.000000000 -0400
</span> @@ -193,6 +193,7 @@
# shown.
#
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/macos-fortress/files/privoxy-match-all.action.macports b/net/macos-fortress/files/privoxy-match-all.action.macports
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..1e1eed5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/macos-fortress/files/privoxy-match-all.action.macports
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,39 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#############################################################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $Id: match-all.action,v 1.4 2016/03/27 16:54:05 fabiankeil Exp $
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This file contains the actions that are applied to all requests and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may be overruled later on by other actions files. Less experienced
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# users should only edit this file through the actions file editor.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#############################################################################
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# original:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#{ \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#+change-x-forwarded-for{block} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#+client-header-tagger{css-requests} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#+client-header-tagger{image-requests} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#+hide-from-header{block} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#+set-image-blocker{pattern} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#/ # Match all URLs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+{ \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++change-x-forwarded-for{block} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++deanimate-gifs{last} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++filter{refresh-tags} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++filter{img-reorder} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++filter{banners-by-size} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++filter{webbugs} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++filter{jumping-windows} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++filter{ie-exploits} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++hide-from-header{block} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++hide-referrer{conditional-block} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++session-cookies-only \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++set-image-blocker{pattern} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+/ # Match all URLs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# User-Agent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://www.christianschenk.org/blog/enhancing-your-privacy-using-squid-and-privoxy/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+{ \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++hide-referrer{conditional-forge} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++hide-user-agent{Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+/ # Match all URLs
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/macos-fortress/files/privoxy-match-all.action.patch b/net/macos-fortress/files/privoxy-match-all.action.patch
</span><span style='display:block; white-space:pre;color:#808080;'>index 6b69538..6724e69 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/macos-fortress/files/privoxy-match-all.action.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/macos-fortress/files/privoxy-match-all.action.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,5 +1,5 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- ./match-all.action 2019-10-22 23:03:04.000000000 -0400
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ ./match-all.action 2019-10-22 23:06:32.000000000 -0400
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- ./privoxy-orig/match-all.action 2020-04-03 08:41:34.000000000 -0400
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./privoxy-new/match-all.action 2020-04-03 08:43:38.000000000 -0400
</span> @@ -6,12 +6,34 @@
# users should only edit this file through the actions file editor.
#
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -35,6 +35,6 @@
</span> +# See http://www.christianschenk.org/blog/enhancing-your-privacy-using-squid-and-privoxy/
+{ \
++hide-referrer{conditional-forge} \
<span style='display:block; white-space:pre;background:#ffe0e0;'>-++hide-user-agent{Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Safari/605.1.15} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+++hide-user-agent{Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15} \
</span> +}
+/ # Match all URLs
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/macos-fortress/files/squid-squid.conf.patch b/net/macos-fortress/files/squid-squid.conf.patch
</span><span style='display:block; white-space:pre;color:#808080;'>index 8257fe6..50e8f79 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/macos-fortress/files/squid-squid.conf.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/macos-fortress/files/squid-squid.conf.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,6 +1,16 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- ./squid.conf 2019-10-22 22:36:27.000000000 -0400
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ ./squid.conf 2019-10-22 23:08:00.000000000 -0400
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1294,12 +1294,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- ./squid.con
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+f 2020-04-03 08:11:57.000000000 -0400
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./squid.con
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+f 2020-04-03 10:13:27.000000000 -0400
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -798,6 +798,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # user="J. \"Bob\" Smith"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++logformat squid_ua %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %#{User-Agent}>h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # TAG: acl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Defining an Access List
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1294,12 +1295,9 @@
</span> # Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -16,7 +26,7 @@
</span> acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1563,8 +1560,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1563,8 +1561,8 @@
</span> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
## Allow ICP queries from local networks only
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -27,7 +37,7 @@
</span> #Default:
# Deny, unless rules exist in squid.conf.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2015,10 +2012,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2015,10 +2013,10 @@
</span> #
# Squid normally listens to port 3128
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -40,7 +50,7 @@
</span> #
# The socket address where Squid will listen for client requests made
# over TLS or SSL connections. Commonly referred to as HTTPS.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3308,6 +3305,16 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3308,6 +3306,16 @@
</span> #Default:
# none
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -57,7 +67,22 @@
</span> # TAG: cache_peer_access
# Restricts usage of cache_peer proxies.
#
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3441,6 +3453,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3346,6 +3354,14 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # No peer usage restrictions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# deny CONNECT to privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++cache_peer_access privoxy deny CONNECT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# I2P
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# acl i2p dstdomain -n .i2p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# cache_peer_access i2p allow i2p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# cache_peer_access i2p deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # TAG: neighbor_type_domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Modify the cache_peer neighbor type when passing requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # about specific domains to the peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3441,6 +3457,7 @@
</span> # enough to keep larger objects from hoarding cache_mem.
#Default:
# maximum_object_size_in_memory 512 KB
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -65,7 +90,7 @@
</span>
# TAG: memory_cache_shared on|off
# Controls whether the memory cache is shared among SMP workers.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3523,6 +3536,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3523,6 +3540,7 @@
</span> # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
#Default:
# cache_replacement_policy lru
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -73,7 +98,7 @@
</span>
# TAG: minimum_object_size (bytes)
# Objects smaller than this size will NOT be saved on disk. The
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3547,6 +3561,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3547,6 +3565,7 @@
</span> # See cache_replacement_policy for a discussion of this policy.
#Default:
# maximum_object_size 4 MB
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -81,7 +106,7 @@
</span>
# TAG: cache_dir
# Format:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3702,6 +3717,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3702,6 +3721,7 @@
</span> #Default:
# No disk cache. Store cache ojects only in memory.
#
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -89,16 +114,17 @@
</span>
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs @PREFIX@/var/squid/cache 100 16 256
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4333,6 +4349,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4332,7 +4352,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Default:
</span> # access_log daemon:@PREFIX@/var/squid/logs/access.log squid
#Default:
<span style='display:block; white-space:pre;background:#ffe0e0;'>- # access_log daemon:@PREFIX@/var/squid/logs/access.log squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-# access_log daemon:@PREFIX@/var/squid/logs/access.log squid
</span> +access_log daemon:@PREFIX@/var/squid/logs/access.log squid
+#access_log daemon:@PREFIX@/var/squid/logs/access.log squid_ua
# TAG: icap_log
# ICAP log files record ICAP transaction summaries, one line per
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4533,8 +4551,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4533,8 +4554,11 @@
</span> # in the habit of using 'squid -k rotate' instead of 'kill -USR1
# <pid>'.
#
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -110,7 +136,7 @@
</span>
# TAG: mime_table
# Path to Squid's icon configuration file.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4590,6 +4611,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4590,6 +4614,7 @@
</span> # Currently honored by 'daemon' and 'tcp' access_log modules only.
#Default:
# buffered_logs off
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -118,7 +144,15 @@
</span>
# TAG: netdb_filename
# Note: This option is only available if Squid is rebuilt with the
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -5351,15 +5376,25 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4639,6 +4664,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Use the directory from where Squid was started.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Leave coredumps in the first cache dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ coredump_dir @PREFIX@/var/squid/cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -5351,15 +5377,25 @@
</span> refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -145,7 +179,7 @@
</span>
# TAG: quick_abort_pct (percent)
# The cache by default continues downloading aborted requests
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -5577,6 +5612,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -5577,6 +5613,7 @@
</span> # replies as required by RFC2616.
#Default:
# via on
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -153,7 +187,7 @@
</span>
# TAG: vary_ignore_expire on|off
# Many HTTP servers supporting Vary gives such objects
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -5669,6 +5705,67 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -5669,6 +5706,67 @@
</span> #Default:
# No limits.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -216,12 +250,12 @@
</span> +request_header_access X_MTI_EMPID deny all
+
+request_header_access User-Agent deny all
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+request_header_replace User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.1 Safari/605.1.15
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++request_header_replace User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15
</span> +
# TAG: reply_header_access
# Usage: reply_header_access header_name allow|deny [!]aclname ...
#
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -6033,6 +6130,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -6036,6 +6134,10 @@
</span> # seconds will receive a 'timeout' message.
#Default:
# shutdown_lifetime 30 seconds
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -232,7 +266,7 @@
</span>
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -6101,6 +6202,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -6104,6 +6206,7 @@
</span> # names with this setting.
#Default:
# Automatically detect the system host name
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -240,7 +274,7 @@
</span>
# TAG: unique_hostname
# If you want to have multiple machines with the same
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -6829,6 +6931,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -6832,6 +6935,7 @@
</span> # up or to simplify log analysis.
#Default:
# log_icp_queries on
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -248,10 +282,14 @@
</span>
# TAG: udp_incoming_address
# udp_incoming_address is used for UDP packets received from other
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -7326,6 +7429,24 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -7329,6 +7433,46 @@
</span> #Default:
# Prevent any cache_peer being used for this request.
<span style='display:block; white-space:pre;background:#e0ffe0;'>++# Do not send Zoom https://*.zoom.us through Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++acl zoom-us-domain dstdomain .zoom.us
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++always_direct allow CONNECT zoom-us-domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> +# Do not send AWS requests through Privoxy
+acl aws-domains dstdomain \
+ .aws.amazon.com \
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -270,10 +308,28 @@
</span> +# Do not forward SSL requests to Privoxy
+#always_direct allow SSL_ports
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>++# Do not send AWS requests through Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++acl aws-domains dstdomain \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ .aws.amazon.com \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ .cloudfront.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++always_direct allow aws-domains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# See http://www.privoxy.org/user-manual/config.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# Define ACL for protocol FTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++acl ftp proto FTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++always_direct allow ftp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# Direct to specified domain names
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#acl mydomainname dstdomain .mydomainname.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#always_direct allow mydomainname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# Do not forward SSL requests to Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++always_direct allow SSL_ports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> # TAG: never_direct
# Usage: never_direct allow|deny [!]aclname ...
#
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -7355,6 +7476,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -7358,6 +7502,14 @@
</span> #Default:
# Allow DNS results to be used for this request.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -281,10 +337,14 @@
</span> +# Forward all the rest to Privoxy
+never_direct allow all
+
<span style='display:block; white-space:pre;background:#e0ffe0;'>++# See http://www.privoxy.org/user-manual/config.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# Forward all the rest to Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++never_direct allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span> # ADVANCED NETWORKING OPTIONS
# -----------------------------------------------------------------------------
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8195,6 +8320,12 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8198,6 +8350,12 @@
</span> #Default:
# Use operating system definitions
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -297,7 +357,7 @@
</span> # TAG: hosts_file
# Location of the host-local IP name-address associations
# database. Most Operating Systems have such a file on different
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8220,6 +8351,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8223,6 +8381,7 @@
</span> # definitions.
#Default:
# hosts_file /etc/hosts
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -305,7 +365,7 @@
</span>
# TAG: append_domain
# Appends local domain name to hostnames without any dots in
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8262,6 +8394,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8265,6 +8424,7 @@
</span> # Maximum number of DNS IP cache entries.
#Default:
# ipcache_size 1024
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -313,7 +373,7 @@
</span>
# TAG: ipcache_low (percent)
#Default:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8276,6 +8409,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8279,6 +8439,7 @@
</span> # Maximum number of FQDN cache entries.
#Default:
# fqdncache_size 1024
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -321,7 +381,7 @@
</span>
# MISCELLANEOUS
# -----------------------------------------------------------------------------
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8296,6 +8430,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8299,6 +8460,7 @@
</span> # routines, disable this.
#Default:
# memory_pools on
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -329,7 +389,7 @@
</span>
# TAG: memory_pools_limit (bytes)
# Used only with memory_pools on:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8342,6 +8477,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8345,6 +8507,7 @@
</span> # X-Forwarded-For entries, and place the client IP as the sole entry.
#Default:
# forwarded_for on
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -337,7 +397,7 @@
</span>
# TAG: cachemgr_passwd
# Specify passwords for cachemgr operations.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8409,6 +8545,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8412,6 +8575,7 @@
</span> # turn off client_db here.
#Default:
# client_db on
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -345,7 +405,7 @@
</span>
# TAG: refresh_all_ims on|off
# When you enable this option, squid will always check
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8539,6 +8676,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8542,6 +8706,7 @@
</span> # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
#Default:
# Do not pre-parse pipelined requests.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -353,11 +413,11 @@
</span>
# TAG: high_response_time_warning (msec)
# If the one-minute median response time exceeds this value,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8596,6 +8734,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8599,6 +8764,7 @@
</span> # Whether to lookup the EUI or MAC address of a connected client.
#Default:
# eui_lookup on
+eui_lookup off
# TAG: max_filedescriptors
<span style='display:block; white-space:pre;background:#ffe0e0;'>- # Reduce the maximum number of filedescriptors supported below
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Set the maximum number of filedescriptors, either below the
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/macos-fortress/files/squid.conf.macports b/net/macos-fortress/files/squid.conf.macports
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e69f420
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/macos-fortress/files/squid.conf.macports
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,8835 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WELCOME TO SQUID 4.10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ----------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the documentation for the Squid configuration file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This documentation can also be found online at:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://www.squid-cache.org/Doc/config/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You may wish to look at the Squid home page and wiki for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FAQ and other documentation:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://www.squid-cache.org/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki.squid-cache.org/SquidFaq
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki.squid-cache.org/ConfigExamples
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This documentation shows what the defaults for various directives
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happen to be. If you don't need to change the default, you should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# leave the line out of your squid.conf in most cases.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In some cases "none" refers to no default setting at all,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# while in other cases it refers to the value of the option
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - the comments for that keyword indicate if this is the case.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Configuration options can be included using the "include" directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Include takes a list of files to include. Quoting and wildcards are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# include /path/to/included/file/squid.acl.config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Includes can be nested up to a hard-coded depth of 16 levels.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This arbitrary restriction is to prevent recursive include references
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from causing Squid entering an infinite loop whilst trying to load
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Values with byte units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid accepts size units on some size related directives. All
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# such directives are documented with a default value displaying
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a unit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Units accepted by Squid are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bytes - byte
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# KB - Kilobyte (1024 bytes)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# MB - Megabyte
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# GB - Gigabyte
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Values with spaces, quotes, and other special characters
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid supports directive parameters with spaces, quotes, and other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# special characters. Surround such parameters with "double quotes". Use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the configuration_includes_quoted_values directive to enable or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disable that support.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid supports reading configuration option parameters from external
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# files using the syntax:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parameters("/path/filename")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Conditional configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If-statements can be used to make configuration directives
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# depend on conditions:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if <CONDITION>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ... regular configuration directives ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ... regular configuration directives ...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The else part is optional. The keywords "if", "else", and "endif"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# must be typed on their own lines, as if they were regular
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration directives.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: An else-if condition is not supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# These individual conditions types are supported:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Always evaluates to true.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# false
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Always evaluates to false.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <integer> = <integer>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Equality comparison of two integer numbers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SMP-Related Macros
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following SMP-related preprocessor macros can be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ${process_name} expands to the current Squid process "name"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (e.g., squid1, squid2, or cache1).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ${process_number} expands to the current Squid process
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# identifier, which is an integer number (e.g., 1, 2, 3) unique
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# across all Squid processes of the current service instance.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ${service_name} expands into the current Squid service instance
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# name identifier which is provided by -n on the command line.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Logformat Macros
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Logformat macros can be used in many places outside of the logformat
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directive. In theory, all of the logformat codes can be used as %macros,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# where they are supported. In practice, a %macro expands as a dash (-) when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the transaction does not yet have enough information and a value is needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There is no definitive list of what tokens are available at the various
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# stages of the transaction.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# And some information may already be available to Squid but not yet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# committed where the macro expansion code can access it (report
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# such instances!). The macro will be expanded into a single dash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ('-') in such cases. Not all macros have been tested.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: broken_vary_encoding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is not yet supported by Squid-3.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_vary
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is not yet supported by Squid-3.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: error_map
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is not yet supported by Squid-3.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: external_refresh_check
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is not yet supported by Squid-3.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: location_rewrite_program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is not yet supported by Squid-3.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: refresh_stale_hit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is not yet supported by Squid-3.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_peer_domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Replace with dstdomain ACLs and cache_peer_access.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ie_refresh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. The behaviour enabled by this is no longer needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_cafile
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Use tls_outgoing_options cafile= instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_capath
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Use tls_outgoing_options capath= instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_cipher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Use tls_outgoing_options cipher= instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_client_certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Use tls_outgoing_options cert= instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_client_key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Use tls_outgoing_options key= instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_flags
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Use tls_outgoing_options flags= instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_options
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Use tls_outgoing_options options= instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_version
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Use tls_outgoing_options options= instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: hierarchy_stoplist
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Use always_direct or cache_peer_access ACLs instead if you need to prevent cache_peer use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: log_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Use acls with access_log directives to control access logging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: log_icap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Use acls with icap_log directives to control icap logging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ignore_ims_on_miss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. The HTTP/1.1 feature is now configured by 'cache_miss_revalidate'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: balance_on_multiple_ip
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, this multiple-IP algorithm is not longer relevant.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: chunked_request_body_max_size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Squid is now HTTP/1.1 compliant.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: dns_v4_fallback
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: emulate_httpd_log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Replace this with an access_log directive using the format 'common' or 'combined'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: forward_log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use a regular access.log with ACL limiting it to MISS events.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ftp_list_width
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Configure FTP page display using the CSS controls in errorpages.css instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ignore_expect_100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. The HTTP/1.1 feature is now fully supported by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: log_fqdn
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this option from your config. To log FQDN use %>A in the log format.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: log_ip_on_direct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this option from your config. To log server or peer names use %<A in the log format.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: maximum_single_addr_tries
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Replaced by connect_retries. The behaviour has changed, please read the documentation before altering.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: referer_log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Replace this with an access_log directive using the format 'referrer'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: update_headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. The feature is supported by default in storage types where update is implemented.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: url_rewrite_concurrency
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Set the 'concurrency=' option of url_rewrite_children instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: useragent_log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Replace this with an access_log directive using the format 'useragent'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: dns_testnames
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. DNS is no longer tested on startup.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: extension_methods
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. All valid methods for HTTP are accepted by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: zero_buffers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: incoming_rate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: server_http11
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. HTTP/1.1 is supported by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: upgrade_http0.9
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. ICY/1.0 streaming protocol is supported by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: zph_local
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Alter these entries. Use the qos_flows directive instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: header_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Since squid-3.0 replace with request_header_access or reply_header_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# depending on whether you wish to match client requests or server replies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: httpd_accel_no_pmtu_disc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wais_relay_host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Replace this line with 'cache_peer' configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wais_relay_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Replace this line with 'cache_peer' configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS FOR SMP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: workers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Number of main Squid processes or "workers" to fork and maintain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0: "no daemon" mode, like running "squid -N ..."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1: "no SMP" mode, start one main Squid process daemon (default)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# N: start N main Squid process daemons (i.e., SMP mode)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In SMP mode, each worker does nearly all what a single Squid daemon
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# does (e.g., listen on http_port and forward HTTP requests).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SMP support disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cpu_affinity_map
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets 1:1 mapping between Squid processes and CPU cores. For example,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# affects processes 1 through 4 only and places them on the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# four even cores, starting with core #1.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CPU cores are numbered starting from 1. Requires support for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sched_getaffinity(2) and sched_setaffinity(2) system calls.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple cpu_affinity_map options are merged.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: workers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Let operating system decide.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: shared_memory_locking on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether to ensure that all required shared memory is available by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "locking" that shared memory into RAM when Squid starts. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# alternative is faster startup time followed by slightly slower
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# performance and, if not enough RAM is actually available during
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# runtime, mysterious crashes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SMP Squid uses many shared memory segments. These segments are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# brought into Squid memory space using an mmap(2) system call. During
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid startup, the mmap() call often succeeds regardless of whether
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the system has enough RAM. In general, Squid cannot tell whether the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kernel applies this "optimistic" memory allocation policy (but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# popular modern kernels usually use it).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Later, if Squid attempts to actually access the mapped memory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# regions beyond what the kernel is willing to allocate, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "optimistic" kernel simply kills Squid kid with a SIGBUS signal.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some of the memory limits enforced by the kernel are currently
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# poorly understood: We do not know how to detect and check them. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option ensures that the mapped memory will be available.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option may have a positive performance side-effect: Locking
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# memory at start avoids runtime paging I/O. Paging slows Squid down.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Locking memory may require a large enough RLIMIT_MEMLOCK OS limit,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CAP_IPC_LOCK capability, or equivalent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shared_memory_locking off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: hopeless_kid_revival_delay time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Normally, when a kid process dies, Squid immediately restarts the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kid. A kid experiencing frequent deaths is marked as "hopeless" for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the duration specified by this directive. Hopeless kids are not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# automatically restarted.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Currently, zero values are not supported because they result in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# misconfigured SMP Squid instances running forever, endlessly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# restarting each dying kid. To effectively disable hopeless kids
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# revival, set the delay to a huge value (e.g., 1 year).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Reconfiguration also clears all hopeless kids designations, allowing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for manual revival of hopeless kids.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hopeless_kid_revival_delay 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS FOR AUTHENTICATION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: auth_param
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is used to define parameters for the various authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# schemes supported by Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# format: auth_param scheme parameter [setting]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The order in which authentication schemes are presented to the client is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dependent on the order the scheme first appears in config file. IE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has a bug (it's not RFC 2617 compliant) in that it will use the basic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# scheme if basic is the first entry presented, even if more secure
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# schemes are presented. For now use the order in the recommended
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings section below. If other browsers have difficulties (don't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# recognize the schemes offered even if you are using basic) either
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# put basic first, or disable the other schemes (by commenting out their
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# program entry).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Once an authentication scheme is fully configured, it can only be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shutdown by shutting squid down and restarting. Changes can be made on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the fly and activated with a reconfigure. I.E. You can change to a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# different helper, but not unconfigure the helper completely.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Please note that while this directive defines how Squid processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authentication it does not automatically activate authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To use authentication you must in addition make use of ACLs based
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on login name in http_access (proxy_auth, proxy_auth_regex or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# external with %LOGIN used in the format tag). The browser will be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# challenged for authentication on the first such acl encountered
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in http_access processing and will also be re-challenged for new
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# login credentials if the request is being denied by a proxy_auth
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# type acl.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: authentication can't be used in a transparently intercepting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxy as the client then thinks it is talking to an origin server and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not the proxy. This is a limitation of bending the TCP/IP protocol to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transparently intercepting port 80, not a limitation in Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Ports flagged 'transparent', 'intercept', or 'tproxy' have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authentication disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# === Parameters common to all schemes. ===
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "program" cmdline
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies the command for the external authenticator.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, each authentication scheme is not used unless a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# program is specified.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/Features/AddonHelpers for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# more details on helper operations and creating your own.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "key_extras" format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies a string to be append to request line format for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the authentication helper. "Quoted" format values may contain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# spaces and logformat %macros. In theory, any logformat %macro
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can be used. In practice, a %macro expands as a dash (-) if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the helper request is sent before the required macro
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# information is available to Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, Squid uses request formats provided in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# scheme-specific examples below (search for %credentials).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The expanded key_extras value is added to the Squid credentials
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache and, hence, will affect authentication. It can be used to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# autenticate different users with identical user names (e.g.,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when user authentication depends on http_port).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Avoid adding frequently changing information to key_extras. For
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# example, if you add user source IP, and it changes frequently
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in your environment, then max_user_ip ACL is going to treat
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# every user+IP combination as a unique "user", breaking the ACL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and wasting a lot of memory on those user records. It will also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# force users to authenticate from scratch whenever their IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# changes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "realm" string
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies the protection scope (aka realm name) which is to be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reported to the client for the authentication scheme. It is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# commonly part of the text the user will see when prompted for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their username and password.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For Basic the default is "Squid proxy-caching web server".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For Digest there is no default, this parameter is mandatory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For NTLM and Negotiate this parameter is ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [queue-size=N] [on-persistent-overload=action]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The maximum number of authenticator processes to spawn. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you start too few Squid will have to wait for them to process
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a backlog of credential verifications, slowing it down. When
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password verifications are done via a (slow) network you are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# likely to need lots of authenticator processes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The startup= and idle= options permit some skew in the exact
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# amount run. A minimum of startup=N will begin during startup
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and reconfigure. Squid will start more in groups of up to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# idle=N in an attempt to meet traffic needs and to keep idle=N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# free above those traffic needs up to the maximum.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The concurrency= option sets the number of concurrent requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the helper can process. The default of 0 is used for helpers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# who only supports one request at a time. Setting this to a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# number greater than 0 changes the protocol used to include a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# channel ID field first on the request/response line, allowing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# multiple requests to be sent to the same helper in parallel
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# without waiting for the response.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Concurrency must not be set unless it's known the helper
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supports the input format with channel-ID fields.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The queue-size option sets the maximum number of queued
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests. A request is queued when no existing child can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accept it due to concurrency limit and no new child can be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# started due to numberofchildren limit. The default maximum is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2*numberofchildren. Squid is allowed to temporarily exceed the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configured maximum, marking the affected helper as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "overloaded". If the helper overload lasts more than 3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# minutes, the action prescribed by the on-persistent-overload
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option applies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The on-persistent-overload=action option specifies Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reaction to a new helper request arriving when the helper
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has been overloaded for more that 3 minutes already. The number
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of queued requests determines whether the helper is overloaded
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (see the queue-size option).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Two actions are supported:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# die Squid worker quits. This is the default behavior.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ERR Squid treats the helper request as if it was
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# immediately submitted, and the helper immediately
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replied with an ERR response. This action has no effect
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the already queued and in-progress helper requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: NTLM and Negotiate schemes do not support concurrency
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in the Squid code module even though some helpers can.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# === Example Configuration ===
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This configuration displays the recommended authentication scheme
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# order from most to least secure with recommended minimum configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings for each scheme:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param negotiate program <uncomment and complete this line to activate>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param negotiate children 20 startup=0 idle=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param negotiate keep_alive on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param digest program <uncomment and complete this line to activate>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param digest children 20 startup=0 idle=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param digest realm Squid proxy-caching web server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param digest nonce_garbage_interval 5 minutes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param digest nonce_max_duration 30 minutes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param digest nonce_max_count 50
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param ntlm program <uncomment and complete this line to activate>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param ntlm children 20 startup=0 idle=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param ntlm keep_alive on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param basic program <uncomment and complete this line>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param basic children 5 startup=5 idle=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param basic realm Squid proxy-caching web server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##auth_param basic credentialsttl 2 hours
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: authenticate_cache_garbage_interval
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The time period between garbage collection across the username cache.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is a trade-off between memory utilization (long intervals - say
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2 days) and CPU (short intervals - say 1 minute). Only change if you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have good reason to.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authenticate_cache_garbage_interval 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: authenticate_ttl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The time a user & their credentials stay in the logged in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user cache since their last request. When the garbage
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# interval passes, all user credentials that have passed their
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TTL are removed from memory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authenticate_ttl 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: authenticate_ip_ttl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you use proxy authentication and the 'max_user_ip' ACL,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this directive controls how long Squid remembers the IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# addresses associated with each user. Use a small value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (e.g., 60 seconds) if your users might change addresses
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# quickly, as is the case with dialup. You might be safe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using a larger value (e.g., 2 hours) in a corporate LAN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# environment with relatively static address assignments.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authenticate_ip_ttl 1 second
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ACCESS CONTROLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: external_acl_type
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option defines external acl classes using a helper program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to look up the status
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# external_acl_type name [options] FORMAT /path/to/helper [helper arguments]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ttl=n TTL in seconds for cached results (defaults to 3600
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for 1 hour)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# negative_ttl=n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TTL for cached negative lookups (default same
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as ttl)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# grace=n Percentage remaining of TTL where a refresh of a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cached entry should be initiated without needing to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wait for a new reply. (default is for no grace period)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache=n The maximum number of entries in the result cache. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default limit is 262144 entries. Each cache entry usually
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# consumes at least 256 bytes. Squid currently does not remove
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expired cache entries until the limit is reached, so a proxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will sooner or later reach the limit. The expanded FORMAT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value is used as the cache key, so if the details in FORMAT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are highly variable, a larger cache may be needed to produce
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reduction in helper load.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# children-max=n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum number of acl helper processes spawned to service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# external acl lookups of this type. (default 5)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# children-startup=n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Minimum number of acl helper processes to spawn during
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# startup and reconfigure to service external acl lookups
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of this type. (default 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# children-idle=n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Number of acl helper processes to keep ahead of traffic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# loads. Squid will spawn this many at once whenever load
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rises above the capabilities of existing processes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Up to the value of children-max. (default 1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# concurrency=n concurrency level per process. Only used with helpers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# capable of processing more than one query at a time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queue-size=N The queue-size option sets the maximum number of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queued requests. A request is queued when no existing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# helper can accept it due to concurrency limit and no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# new helper can be started due to children-max limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the queued requests exceed queue size, the acl is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignored. The default value is set to 2*children-max.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ipv4 / ipv6 IP protocol used to communicate with this helper.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is to auto-detect IPv6 and use it when available.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FORMAT is a series of %macro codes. See logformat directive for a full list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the accepted codes. Although note that at the time of any external ACL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# being tested data may not be available and thus some %macro expand to '-'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In addition to the logformat codes; when processing external ACLs these
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# additional macros are made available:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %ACL The name of the ACL being tested.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %DATA The ACL arguments specified in the referencing config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'acl ... external' line, separated by spaces (an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "argument string"). see acl external.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If there are no ACL arguments %DATA expands to '-'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you do not specify a DATA macro inside FORMAT,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid automatically appends %DATA to your FORMAT.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that Squid-3.x may expand %DATA to whitespace
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or nothing in this case.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, Squid applies URL-encoding to each ACL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# argument inside the argument string. If an explicit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# encoding modifier is used (e.g., %#DATA), then Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# encodes the whole argument string as a single token
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (e.g., with %#DATA, spaces between arguments become
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %20).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If SSL is enabled, the following formating codes become available:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %USER_CERT SSL User certificate in PEM format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %USER_CERTCHAIN SSL User certificate chain in PEM format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %USER_CERT_xx SSL User certificate subject attribute xx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %USER_CA_CERT_xx SSL User certificate issuer attribute xx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: all other format codes accepted by older Squid versions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are deprecated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# General request syntax:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [channel-ID] FORMAT-values
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FORMAT-values consists of transaction details expanded with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# whitespace separation per the config file FORMAT specification
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using the FORMAT macros listed above.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Request values sent to the helper are URL escaped to protect
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# each value in requests against whitespaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If using protocol=2.5 then the request sent to the helper is not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# URL escaped to protect against whitespace.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: protocol=3.0 is deprecated as no longer necessary.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When using the concurrency= option the protocol is changed by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# introducing a query channel tag in front of the request/response.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The query channel tag is a number between 0 and concurrency-1.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This value must be echoed back unchanged to Squid as the first part
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the response relating to its request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The helper receives lines expanded per the above format specification
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and for each input line returns 1 line starting with OK/ERR/BH result
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# code and optionally followed by additional keywords with more details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# General result syntax:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [channel-ID] result keyword=value ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Result consists of one of the codes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the ACL test produced a match.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ERR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the ACL test does not produce a match.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# BH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An internal error occurred in the helper, preventing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a result being identified.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The meaning of 'a match' is determined by your squid.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access control configuration. See the Squid wiki for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Defined keywords:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user= The users name (login)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password= The users password (for login= cache_peer option)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# message= Message describing the reason for this response.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Available as %o in error pages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Useful on (ERR and BH results).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tag= Apply a tag to a request. Only sets a tag once,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# does not alter existing tags.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# log= String to be logged in access.log. Available as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %ea in logformat specifications.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clt_conn_tag= Associates a TAG with the client TCP connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Please see url_rewrite_program related documentation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for this kv-pair.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Any keywords may be sent on any response whether OK, ERR or BH.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# All response keyword values need to be a single token with URL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# escaping, or enclosed in double quotes (") and escaped using \ on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# any double quotes or \ characters within the value. The wrapping
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# double quotes are removed before the value is interpreted by Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# \r and \n are also replace by CR and LF.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some example key values:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user=John%20Smith
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user="John Smith"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user="J. \"Bob\" Smith"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+logformat squid_ua %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %#{User-Agent}>h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: acl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Defining an Access List
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Every access list definition must begin with an aclname and acltype,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# followed by either type-specific arguments or a quoted filename that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# they are read from.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname acltype argument ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname acltype "file" ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When using "file", the file should contain one item per line.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ACL Options
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some acl types supports options which changes their default behaviour:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -i,+i By default, regular expressions are CASE-SENSITIVE. To make them
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# case-insensitive, use the -i option. To return case-sensitive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use the +i option between patterns, or make a new ACL line
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# without -i.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -n Disable lookups and address type conversions. If lookup or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# conversion is required because the parameter type (IP or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# domain name) does not match the message address type (domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# name or IP), then the ACL would immediately declare a mismatch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# without any warnings or lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -m[=delimiters]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Perform a list membership test, interpreting values as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# comma-separated token lists and matching against individual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tokens instead of whole values.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The optional "delimiters" parameter specifies one or more
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# alternative non-alphanumeric delimiter characters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# non-alphanumeric delimiter characters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -- Used to stop processing all options, in the case the first acl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value has '-' character as first character (for example the '-'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is a valid domain name)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some acl types require suspending the current request in order
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to access some external data source.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Those which do are marked with the tag [slow], those which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# don't are marked as [fast].
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for further information
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ***** ACL TYPES AVAILABLE *****
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname src ip-address/mask ... # clients IP address [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname src addr1-addr2/mask ... # range of addresses [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname dst [-n] ip-address/mask ... # URL host's IP address [slow]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname localip ip-address/mask ... # IP address the client connected to [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#if USE_SQUID_EUI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname arp mac-address ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname eui64 eui64-address ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # MAC (EUI-48) and EUI-64 addresses use xx:xx:xx:xx:xx:xx notation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The 'arp' ACL code is not portable to all operating systems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # It works on Linux, Solaris, Windows, FreeBSD, and some other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # BSD variants.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The eui_lookup directive is required to be 'on' (the default)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # and Squid built with --enable-eui for MAC/EUI addresses to be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # available for this ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Squid can only determine the MAC/EUI address for IPv4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # clients that are on the same subnet. If the client is on a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # different subnet, then Squid cannot find out its address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # IPv6 protocol does not contain ARP. MAC/EUI is either
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # encoded directly in the IPv6 address or not available.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname clientside_mark mark[/mask] ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # matches CONNMARK of an accepted connection [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # mark and mask are unsigned integers (hex, octal, or decimal).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # If multiple marks are given, then the ACL matches if at least
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # one mark matches.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Uses netfilter-conntrack library.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Requires building Squid with --enable-linux-netfilter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The client, various intermediaries, and Squid itself may set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # CONNMARK at various times. The last CONNMARK set wins. This ACL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # checks the mark present on an accepted connection or set by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Squid afterwards, depending on the ACL check timing. This ACL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # effectively ignores any mark set by other agents after Squid has
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # accepted the connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname srcdomain .foo.com ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # reverse lookup, from client IP [slow]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname dstdomain [-n] .foo.com ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Destination server from URL [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname srcdom_regex [-i] \.foo\.com ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # regex matching client name [slow]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname dstdom_regex [-n] [-i] \.foo\.com ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # regex matching server [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # based URL is used and no match is found. The name "none" is used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # if the reverse lookup fails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname src_as number ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname dst_as number ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Except for access control, AS numbers can be used for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # routing of requests to specific caches. Here's an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # example for routing all requests for AS#1241 and only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # those to mycache.mydomain.net:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl asexample dst_as 1241
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # cache_peer_access mycache.mydomain.net allow asexample
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # cache_peer_access mycache_mydomain.net deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname peername myPeer ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname peername_regex [-i] regex-pattern ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # match against a named cache_peer entry
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # set unique name= on cache_peer lines for reliable use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # day-abbrevs:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # S - Sunday
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # M - Monday
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # T - Tuesday
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # W - Wednesday
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # H - Thursday
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # F - Friday
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # A - Saturday
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # h1:m1 must be less than h2:m2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname url_regex [-i] ^http:// ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # regex matching on whole URL [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname urllogin [-i] [^a-zA-Z0-9] ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # regex matching on URL login field
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname urlpath_regex [-i] \.gif$ ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # regex matching on URL path [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname port 80 70 21 0-1024... # destination TCP port [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ranges are alloed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname localport 3128 ... # TCP port the client connected to [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # NP: for interception mode this is usually '80'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname myportname 3128 ... # *_port name [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname proto HTTP FTP ... # request protocol [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname method GET POST ... # HTTP request method [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname http_status 200 301 500- 400-403 ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # status code in reply [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname browser [-i] regexp ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # pattern match on User-Agent header (see also req_header below) [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname referer_regex [-i] regexp ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # pattern match on Referer header [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Referer is highly unreliable, so use with care
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname ident [-i] username ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname ident_regex [-i] pattern ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # string match on ident output [slow]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # use REQUIRED to accept any non-null ident.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname proxy_auth [-i] username ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname proxy_auth_regex [-i] pattern ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # perform http authentication challenge to the client and match against
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # supplied credentials [slow]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # takes a list of allowed usernames.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # use REQUIRED to accept any valid username.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Will use proxy authentication in forward-proxy scenarios, and plain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # http authenticaiton in reverse-proxy scenarios
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # NOTE: when a Proxy-Authentication header is sent but it is not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # needed during ACL checking the username is NOT logged
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # in access.log.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # NOTE: proxy_auth requires a EXTERNAL authentication program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # to check username/password combinations (see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # auth_param directive).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # as the browser needs to be configured for using a proxy in order
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # to respond to proxy authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname snmp_community string ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # A community string to limit access to your SNMP Agent [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl snmppublic snmp_community public
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname maxconn number
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # This will be matched when the client's IP address has
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # more than <number> TCP connections established. [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # NOTE: This only measures direct TCP links so X-Forwarded-For
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # indirect clients are not counted.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname max_user_ip [-s] number
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # This will be matched when the user attempts to log in from more
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # than <number> different ip addresses. The authenticate_ip_ttl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # parameter controls the timeout on the ip entries. [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # If -s is specified the limit is strict, denying browsing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # from any further IP addresses until the ttl has expired. Without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # -s Squid will just annoy the user by "randomly" denying requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # (the counter is reset each time the limit is reached and a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # request is denied)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # NOTE: in acceleration mode or where there is mesh of child proxies,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # clients may appear to come from multiple addresses if they are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # going through proxy farms, so a limit of 1 may cause user problems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname random probability
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Pseudo-randomly match requests. Based on the probability given.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Probability may be written as a decimal (0.333), fraction (1/3)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # or ratio of matches:non-matches (3:5).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname req_mime_type [-i] mime-type ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # regex match against the mime type of the request generated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # by the client. Can be used to detect file upload or some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # types HTTP tunneling requests [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # NOTE: This does NOT match the reply. You cannot use this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # to match the returned file type.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname req_header header-name [-i] any\.regex\.here
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # regex match against any of the known request headers. May be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # thought of as a superset of "browser", "referer" and "mime-type"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ACL [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname rep_mime_type [-i] mime-type ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # regex match against the mime type of the reply received by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # squid. Can be used to detect file download or some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # types HTTP tunneling requests. [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # NOTE: This has no effect in http_access rules. It only has
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # effect in rules that affect the reply data stream such as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # http_reply_access.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname rep_header header-name [-i] any\.regex\.here
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # regex match against any of the known reply headers. May be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # thought of as a superset of "browser", "referer" and "mime-type"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ACLs [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname external class_name [arguments...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # external ACL lookup via a helper class defined by the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # external_acl_type directive [slow]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname user_cert attribute values...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # match against attributes in a user SSL certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname ca_cert attribute values...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # match against attributes a users issuing CA SSL certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname ext_user [-i] username ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname ext_user_regex [-i] pattern ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # string match on username returned by external acl helper [slow]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # use REQUIRED to accept any non-null user name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname tag tagvalue ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # string match on tag returned by external acl helper [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # DEPRECATED. Only the first tag will match with this ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Use the 'note' ACL instead for handling multiple tag values.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname hier_code codename ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # string match against squid hierarchy code(s); [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # e.g., DIRECT, PARENT_HIT, NONE, etc.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # NOTE: This has no effect in http_access rules. It only has
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # effect in rules that affect the reply data stream such as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # http_reply_access.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname note [-m[=delimiters]] name [value ...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # match transaction annotation [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Without values, matches any annotation with a given name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # With value(s), matches any annotation with a given name that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # also has one of the given values.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # If the -m flag is used, then the value of the named
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # annotation is interpreted as a list of tokens, and the ACL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # matches individual name=token pairs rather than whole
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # name=value pairs. See "ACL Options" above for more info.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Annotation sources include note and adaptation_meta directives
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # as well as helper and eCAP responses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname adaptation_service service ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Matches the name of any icap_service, ecap_service,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # adaptation_service_set, or adaptation_service_chain that Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # has used (or attempted to use) for the master transaction.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # This ACL must be defined after the corresponding adaptation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # service is named in squid.conf. This ACL is usable with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # adaptation_meta because it starts matching immediately after
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # the service has been selected for adaptation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname transaction_initiator initiator ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Matches transaction's initiator [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Supported initiators are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # esi: matches transactions fetching ESI resources
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # certificate-fetching: matches transactions fetching
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # a missing intermediate TLS certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # cache-digest: matches transactions fetching Cache Digests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # from a cache_peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # htcp: matches HTCP requests from peers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # icp: matches ICP requests to peers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # icmp: matches ICMP RTT database (NetDB) requests to peers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # asn: matches asns db requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # internal: matches any of the above
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # client: matches transactions containing an HTTP or FTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # client request received at a Squid *_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # all: matches any transaction, including internal transactions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # without a configurable initiator and hopefully rare
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # transactions without a known-to-Squid initiator
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Multiple initiators are ORed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname has component
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # matches a transaction "component" [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Supported transaction components are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # request: transaction has a request header (at least)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # response: transaction has a response header (at least)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ALE: transaction has an internally-generated Access Log Entry
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # structure; bugs notwithstanding, all transaction have it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # For example, the following configuration helps when dealing with HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # clients that close connections without sending a request header:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl hasRequest has request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl logMe note important_transaction
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # # avoid "logMe ACL is used in context without an HTTP request" warnings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # access_log ... logformat=detailed hasRequest logMe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # # log request-less transactions, instead of ignoring them
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # access_log ... logformat=brief !hasRequest
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Multiple components are not supported for one "acl" rule, but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # can be specified (and are ORed) using multiple same-name rules:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # # OK, this strange logging daemon needs request or response,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # # but can work without either a request or a response:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl hasWhatMyLoggingDaemonNeeds has request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl hasWhatMyLoggingDaemonNeeds has response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname ssl_error errorname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # match against SSL certificate validation error [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # For valid error names see in @PREFIX@/share/squid/errors/templates/error-details.txt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # template file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The following can be used as shortcuts for certificate properties:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # [ssl::]certHasExpired: the "not after" field is in the past
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # [ssl::]certNotYetValid: the "not before" field is in the future
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # [ssl::]certUntrusted: The certificate issuer is not to be trusted.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # [ssl::]certSelfSigned: The certificate is self signed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # [ssl::]certDomainMismatch: The certificate CN domain does not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # match the name the name of the host we are connecting to.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ssl::certUntrusted, and ssl::certSelfSigned can also be used as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # predefined ACLs, just like the 'all' ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # NOTE: The ssl_error ACL is only supported with sslproxy_cert_error,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # sslproxy_cert_sign, and sslproxy_cert_adapt options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname server_cert_fingerprint [-sha1] fingerprint
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # match against server SSL certificate fingerprint [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The fingerprint is the digest of the DER encoded version
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # of the whole certificate. The user should use the form: XX:XX:...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Optional argument specifies the digest algorithm to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The SHA1 digest algorithm is the default and is currently
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # the only algorithm supported (-sha1).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname at_step step
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # match against the current step during ssl_bump evaluation [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Never matches and should not be used outside the ssl_bump context.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # At each SslBump step, Squid evaluates ssl_bump directives to find
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # the next bumping action (e.g., peek or splice). Valid SslBump step
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # values and the corresponding ssl_bump evaluation moments are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # SslBump1: After getting TCP-level and HTTP CONNECT info.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # SslBump2: After getting SSL Client Hello info.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # SslBump3: After getting SSL Server Hello info.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname ssl::server_name [option] .foo.com ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # matches server name obtained from various sources [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The ACL computes server name(s) using such information sources as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # CONNECT request URI, TLS client SNI, and TLS server certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # subject (CN and SubjectAltName). The computed server name(s) usually
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # change with each SslBump step, as more info becomes available:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # * SNI is used as the server name instead of the request URI,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # * subject name(s) from the server certificate (CN and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # SubjectAltName) are used as the server names instead of SNI.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # When the ACL computes multiple server names, matching any single
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # computed name is sufficient for the ACL to match.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The "none" name can be used to match transactions where the ACL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # could not compute the server name using any information source
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # that was both available and allowed to be used by the ACL options at
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # the ACL evaluation time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Unlike dstdomain, this ACL does not perform DNS lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # An ACL option below may be used to restrict what information
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # sources are used to extract the server names from:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # --client-requested
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The server name is SNI regardless of what the server says.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # --server-provided
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The server name(s) are the certificate subject name(s), regardless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # of what the client has requested. If the server certificate is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # unavailable, then the name is "none".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # --consensus
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The server name is either SNI (if SNI matches at least one of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # certificate subject names) or "none" (otherwise). When the server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # certificate is unavailable, the consensus server name is SNI.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Combining multiple options in one ACL is a fatal configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # error.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # For all options: If no SNI is available, then the CONNECT request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # target (a.k.a. URI) is used instead of SNI (for an intercepted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # connection, this target is the destination IP address).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname ssl::server_name_regex [-i] \.foo\.com ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # regex matches server name obtained from various sources [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname connections_encrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # matches transactions with all HTTP messages received over TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # transport connections. [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The master transaction deals with HTTP messages received from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # various sources. All sources used by the master transaction in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # past are considered by the ACL. The following rules define whether
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # a given message source taints the entire master transaction,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # resulting in ACL mismatches:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # * The HTTP client transport connection is not TLS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # * An adaptation service connection-encryption flag is off.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # * The peer or origin server transport connection is not TLS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Caching currently does not affect these rules. This cache ignorance
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # implies that only the current HTTP client transport and REQMOD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # services status determine whether this ACL matches a from-cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # transaction. The source of the cached response does not have any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # effect on future transaction that use the cached response without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # revalidation. This may change.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # DNS, ICP, and HTCP exchanges during the master transaction do not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # affect these rules.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname any-of acl1 acl2 ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # match any one of the acls [fast or slow]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The first matching ACL stops further ACL evaluation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ACLs from multiple any-of lines with the same name are ORed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # For example, A = (a1 or a2) or (a3 or a4) can be written as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl A any-of a1 a2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl A any-of a3 a4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # This group ACL is fast if all evaluated ACLs in the group are fast
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # and slow otherwise.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname all-of acl1 acl2 ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # match all of the acls [fast or slow]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The first mismatching ACL stops further ACL evaluation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ACLs from multiple all-of lines with the same name are ORed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # For example, B = (b1 and b2) or (b3 and b4) can be written as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl B all-of b1 b2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl B all-of b3 b4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # This group ACL is fast if all evaluated ACLs in the group are fast
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # and slow otherwise.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl macaddress arp 09:00:2b:23:45:67
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl myexample dst_as 1241
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl password proxy_auth REQUIRED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl fileupload req_mime_type -i ^multipart/form-data$
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl javascript rep_mime_type -i ^application/x-javascript$
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ACLs all, manager, localhost, and to_localhost are predefined.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Recommended minimum configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example rule allowing access from your local networks.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Adapt to list your (internal) IP networks from where browsing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# should be allowed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl localnet src fc00::/7 # RFC 4193 local private network range
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl SSL_ports port 443
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl Safe_ports port 80 # http
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl Safe_ports port 21 # ftp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl Safe_ports port 443 # https
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl Safe_ports port 70 # gopher
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl Safe_ports port 210 # wais
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl Safe_ports port 1025-65535 # unregistered ports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl Safe_ports port 280 # http-mgmt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl Safe_ports port 488 # gss-http
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl Safe_ports port 591 # filemaker
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl Safe_ports port 777 # multiling http
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl CONNECT method CONNECT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: proxy_protocol_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Determine which client proxies can be trusted to provide correct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# information regarding real client IP address using PROXY protocol.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requests may pass through a chain of several other proxies
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# before reaching us. The original source details may by sent in:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * HTTP message Forwarded header, or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * HTTP message X-Forwarded-For header, or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * PROXY protocol connection header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive is solely for validating new PROXY protocol
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections received from a port flagged with require-proxy-header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is checked only once after TCP connection setup.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A deny match results in TCP connection closure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An allow match is required for Squid to permit the corresponding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TCP connection, before Squid even looks for HTTP request headers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If there is an allow match, Squid starts using PROXY header information
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to determine the source address of the connection for all future ACL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# checks, logging, etc.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SECURITY CONSIDERATIONS:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Any host from which we accept client IP details can place
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# incorrect information in the relevant header, and Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will use the incorrect information as if it were the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# source address of the request. This may enable remote
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hosts to bypass any access control restrictions that are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# based on the client's source addresses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# all TCP connections to ports with require-proxy-header will be denied
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: follow_x_forwarded_for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Determine which client proxies can be trusted to provide correct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# information regarding real client IP address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requests may pass through a chain of several other proxies
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# before reaching us. The original source details may by sent in:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * HTTP message Forwarded header, or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * HTTP message X-Forwarded-For header, or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * PROXY protocol connection header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PROXY protocol connections are controlled by the proxy_protocol_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directive which is checked before this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If a request reaches us from a source that is allowed by this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directive, then we trust the information it provides regarding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the IP of the client it received from (if any).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For the purpose of ACLs used in this directive the src ACL type always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matches the address we are testing and srcdomain matches its rDNS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# On each HTTP request Squid checks for X-Forwarded-For header fields.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If found the header values are iterated in reverse order and an allow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# match is required for Squid to continue on to the next value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The verification ends when a value receives a deny match, cannot be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tested, or there are no more values to test.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: Squid does not yet follow the Forwarded HTTP header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The end result of this process is an IP address that we will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# refer to as the indirect client address. This address may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be treated as the client address for access control, ICAP, delay
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pools and logging, depending on the acl_uses_indirect_client,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_uses_indirect_client, delay_pool_uses_indirect_client,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# log_uses_indirect_client and tproxy_uses_indirect_client options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SECURITY CONSIDERATIONS:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Any host from which we accept client IP details can place
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# incorrect information in the relevant header, and Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will use the incorrect information as if it were the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# source address of the request. This may enable remote
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hosts to bypass any access control restrictions that are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# based on the client's source addresses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl localhost src 127.0.0.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl my_other_proxy srcdomain .proxy.example.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# follow_x_forwarded_for allow localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# follow_x_forwarded_for allow my_other_proxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# X-Forwarded-For header will be ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: acl_uses_indirect_client on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Controls whether the indirect client address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (see follow_x_forwarded_for) is used instead of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# direct client address in acl matching.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: maxconn ACL considers direct TCP links and indirect
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clients will always have zero. So no match.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl_uses_indirect_client on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: delay_pool_uses_indirect_client on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Controls whether the indirect client address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (see follow_x_forwarded_for) is used instead of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# direct client address in delay pools.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_pool_uses_indirect_client on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: log_uses_indirect_client on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Controls whether the indirect client address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (see follow_x_forwarded_for) is used instead of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# direct client address in the access log.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# log_uses_indirect_client on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: tproxy_uses_indirect_client on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-follow-x-forwarded-for and --enable-linux-netfilter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Controls whether the indirect client address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (see follow_x_forwarded_for) is used instead of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# direct client address when spoofing the outgoing client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This has no effect on requests arriving in non-tproxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mode ports.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SECURITY WARNING: Usage of this option is dangerous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and should not be used trivially. Correct configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of follow_x_forwarded_for with a limited set of trusted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sources is required to prevent abuse of your proxy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tproxy_uses_indirect_client off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: spoof_client_ip
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Control client IP address spoofing of TPROXY traffic based on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# defined access lists.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# spoof_client_ip allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If there are no "spoof_client_ip" lines present, the default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is to "allow" spoofing of any suitable request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that the cache_peer "no-tproxy" option overrides this ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow spoofing on all TPROXY traffic.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: http_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allowing or Denying access based on defined access lists
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To allow or deny a message received on an HTTP, HTTPS, or FTP port:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_access allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE on default values:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If there are no "access" lines present, the default is to deny
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If none of the "access" lines cause a match, the default is the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# opposite of the last line in the list. If the last line was
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deny, the default is allow. Conversely, if the last line
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is allow, the default will be deny. For these reasons, it is a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# good idea to have an "deny all" entry at the end of your access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lists to avoid potential confusion.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause supports both fast and slow acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny, unless rules exist in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Recommended minimum Access Permission configuration:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny requests to certain unsafe ports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+http_access deny !Safe_ports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny CONNECT to other than secure SSL ports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+http_access deny CONNECT !SSL_ports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only allow cachemgr access from localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+http_access allow localhost manager
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+http_access deny manager
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# We strongly recommend the following be uncommented to protect innocent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# web applications running on the proxy server who think the only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# one who can access services on "localhost" is a local user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+http_access deny to_localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example rule allowing access from your local networks.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Adapt localnet in the ACL section to list your (internal) IP networks
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from where browsing should be allowed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+http_access allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+http_access allow localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# And finally deny all other access to this proxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+http_access deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: adapted_http_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allowing or Denying access based on defined access lists
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Essentially identical to http_access, but runs after redirectors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and ICAP/eCAP adaptation. Allowing access control based on their
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# output.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If not set then only http_access is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow, unless rules exist in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: http_reply_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow replies to client requests. This is complementary to http_access.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_reply_access allow|deny [!] aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: if there are no access lines present, the default is to allow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# all replies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If none of the access lines cause a match the opposite of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# last line will apply. Thus it is good practice to end the rules
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with an "allow all" or "deny all" entry.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause supports both fast and slow acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow, unless rules exist in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icp_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allowing or Denying access to the ICP port based on defined
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access lists
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icp_access allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: The default if no icp_access lines are present is to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deny all traffic. This default may cause problems with peers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using ICP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Allow ICP queries from local networks only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+icp_access allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+icp_access deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny, unless rules exist in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: htcp_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allowing or Denying access to the HTCP port based on defined
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access lists
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# htcp_access allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also htcp_clr_access for details on access control for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache purge (CLR) HTCP messages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: The default if no htcp_access lines are present is to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deny all traffic. This default may cause problems with peers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using the htcp option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Allow HTCP queries from local networks only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##htcp_access allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+##htcp_access deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny, unless rules exist in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: htcp_clr_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allowing or Denying access to purge content using HTCP based
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on defined access lists.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See htcp_access for details on general HTCP access control.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# htcp_clr_access allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Allow HTCP CLR requests from trusted peers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#acl htcp_clr_peer src 192.0.2.2 2001:DB8::2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#htcp_clr_access allow htcp_clr_peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#htcp_clr_access deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny, unless rules exist in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: miss_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Determines whether network access is permitted when satisfying a request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to force your neighbors to use you as a sibling instead of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a parent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl localclients src 192.0.2.0/24 2001:DB8::a:0/64
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# miss_access deny !localclients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# miss_access allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This means only your local clients are allowed to fetch relayed/MISS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replies from the network and all other clients can only fetch cached
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# objects (HITs).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default for this setting allows all clients who passed the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_access rules to relay via this proxy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow, unless rules exist in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ident_lookup_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A list of ACL elements which, if matched, cause an ident
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (RFC 931) lookup to be performed for this request. For
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# example, you might choose to always perform ident lookups
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for your main multi-user Unix boxes, but not for your Macs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and PCs. By default, ident lookups are not performed for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# any requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To enable ident lookups for specific client addresses, you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can follow this example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl ident_aware_hosts src 198.168.1.0/24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ident_lookup_access allow ident_aware_hosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ident_lookup_access deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only src type ACL checks are fully supported. A srcdomain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ACL might work at times, but it will not always provide
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the correct result.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unless rules exist in squid.conf, IDENT is not fetched.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: reply_body_max_size size [acl acl...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option specifies the maximum size of a reply body. It can be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used to prevent users from downloading very large files, such as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# MP3's and movies. When the reply headers are received, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_body_max_size lines are processed, and the first line where
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# all (if any) listed ACLs are true is used as the maximum body size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for this reply.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This size is checked twice. First when we get the reply headers,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# we check the content-length value. If the content length value exists
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and is larger than the allowed size, the request is denied and the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user receives an error message that says "the request or reply
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is too large." If there is no content-length, and the reply
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# size exceeds this limit, the client's connection is just closed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and they will receive a partial reply.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: downstream caches probably can not detect a partial reply
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if there is no content-length header, so they will cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# partial responses and give them out as hits. You should NOT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use this option if you have downstream caches.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: A maximum size smaller than the size of squid's error messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will cause an infinite loop and crash squid. Ensure that the smallest
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# non-zero value you use is greater that the maximum header size plus
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the size of your largest error page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you set this parameter none (the default), there will be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no limit imposed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Configuration Format is:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_body_max_size SIZE UNITS [acl ...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ie.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_body_max_size 10 MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No limit is applied.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: on_unsupported_protocol
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Determines Squid behavior when encountering strange requests at the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# beginning of an accepted TCP connection or the beginning of a bumped
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CONNECT tunnel. Controlling Squid reaction to unexpected traffic is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# especially useful in interception environments where Squid is likely
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to see connections for unsupported protocols that Squid should either
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# terminate or tunnel at TCP level.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on_unsupported_protocol <action> [!]acl ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The first matching action wins. Only fast ACLs are supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Supported actions are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tunnel: Establish a TCP connection with the intended server and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# blindly shovel TCP packets between the client and server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# respond: Respond with an error message, using the transfer protocol
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for the Squid port that received the request (e.g., HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for connections intercepted at the http_port). This is the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid expects the following traffic patterns:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_port: a plain HTTP request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https_port: SSL/TLS handshake followed by an [encrypted] HTTP request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ftp_port: a plain FTP command (no on_unsupported_protocol support yet!)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CONNECT tunnel on http_port: same as https_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CONNECT tunnel on https_port: same as https_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Currently, this directive has effect on intercepted connections and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bumped tunnels only. Other cases are not supported because Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cannot know the intended destination of other traffic.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # define what Squid errors indicate receiving non-HTTP traffic:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # define what Squid errors indicate receiving nothing:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # tunnel everything that does not look like HTTP:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on_unsupported_protocol tunnel foreignProtocol
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # tunnel if we think the client waits for the server to talk first:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on_unsupported_protocol tunnel serverTalksFirstProtocol
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # in all other error cases, just send an HTTP "error page" response:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on_unsupported_protocol respond all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: squid_error ACL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Respond with an error message to unidentifiable traffic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NETWORK OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: http_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: port [mode] [options]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hostname:port [mode] [options]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1.2.3.4:port [mode] [options]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The socket addresses where Squid will listen for HTTP client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests. You may specify multiple socket addresses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There are three forms: port alone, hostname with port, and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IP address with port. If you specify a hostname or IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# address, Squid binds the socket to that specific
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# address. Most likely, you do not need to bind to a specific
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# address, so you can use the port number alone.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you are running Squid in accelerator mode, you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# probably want to listen on port 80 also, or instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The -a command line option may be used to specify additional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# port(s) where Squid listens for proxy request. Such ports will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be plain proxy ports with no options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You may specify multiple socket addresses on multiple lines.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Modes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intercept Support for IP-Layer NAT interception delivering
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# traffic to this Squid port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NP: disables authentication on the port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tproxy Support Linux TPROXY (or BSD divert-to) with spoofing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of outgoing connections using the client IP address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NP: disables authentication on the port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accel Accelerator / reverse proxy mode
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl-bump For each CONNECT request allowed by ssl_bump ACLs,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# establish secure connection with the client and with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the server, decrypt HTTPS messages as they pass through
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid, and treat them as unencrypted HTTP messages,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# becoming the man-in-the-middle.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The ssl_bump option is required to fully enable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bumping of CONNECT requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Omitting the mode flag causes default forward proxy mode to be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Accelerator Mode Options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# defaultsite=domainname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# What to use for the Host: header if it is not present
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in a request. Determines what site (not origin server)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accelerators should consider the default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# protocol= Protocol to reconstruct accelerated and intercepted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests with. Defaults to HTTP/1.1 for http_port and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTPS/1.1 for https_port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When an unsupported value is configured Squid will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# produce a FATAL error.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vport Virtual host port support. Using the http_port number
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead of the port passed on Host: headers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vport=NN Virtual host port support. Using the specified port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# number instead of the port passed on Host: headers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# act-as-origin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Act as if this Squid is the origin server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This currently means generate new Date: and Expires:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers on HIT instead of adding Age:.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignore-cc Ignore request Cache-Control headers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: This option violates HTTP specifications if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used in non-accelerator setups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow-direct Allow direct forwarding in accelerator mode. Normally
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accelerated requests are denied direct forwarding as if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# never_direct was used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: this option opens accelerator mode to security
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vulnerabilities usually only affecting in interception
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mode. Make sure to protect forwarding with suitable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_access rules when using this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL Bump Mode Options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In addition to these options ssl-bump requires TLS/SSL options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# generate-host-certificates[=<on|off>]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dynamically create SSL server certificates for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# destination hosts of bumped CONNECT requests.When
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enabled, the cert and key options are used to sign
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# generated certificates. Otherwise generated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate will be selfsigned.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If there is a CA certificate lifetime of the generated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate equals lifetime of the CA certificate. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# generated certificate is selfsigned lifetime is three
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# years.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is enabled by default when ssl-bump is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the ssl-bump option above for more information.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dynamic_cert_mem_cache_size=SIZE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Approximate total RAM size spent on cached generated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificates. If set to zero, caching is disabled. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default value is 4MB.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TLS / SSL Options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-cert= Path to file containing an X.509 certificate (PEM format)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to be used in the TLS handshake ServerHello.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this certificate is constrained by KeyUsage TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# feature it must allow HTTP server usage, along with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# any additional restrictions imposed by your choice
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of options= settings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When OpenSSL is used this file may also contain a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# chain of intermediate CA certificates to send in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TLS handshake.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When GnuTLS is used this option (and any paired
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-key= option) may be repeated to load multiple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificates for different domains.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also, when generate-host-certificates=on is configured
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the first tls-cert= option must be a CA certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# capable of signing the automatically generated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-key= Path to a file containing private key file (PEM format)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for the previous tls-cert= option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If tls-key= is not specified tls-cert= is assumed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reference a PEM file containing both the certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and private key.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cipher= Colon separated list of supported ciphers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: some ciphers such as EDH ciphers depend on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# additional settings. If those settings are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# omitted the ciphers may be silently ignored
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by the OpenSSL library.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# options= Various SSL implementation options. The most important
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# being:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NO_SSLv3 Disallow the use of SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NO_TLSv1 Disallow the use of TLSv1.0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NO_TLSv1_1 Disallow the use of TLSv1.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NO_TLSv1_2 Disallow the use of TLSv1.2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SINGLE_DH_USE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Always create a new key when using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# temporary/ephemeral DH key exchanges
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SINGLE_ECDH_USE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable ephemeral ECDH key exchange.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The adopted curve should be specified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using the tls-dh option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NO_TICKET
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Disable use of RFC5077 session tickets.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some servers may have problems
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# understanding the TLS extension due
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to ambiguous specification in RFC4507.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ALL Enable various bug workarounds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# suggested as "harmless" by OpenSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Be warned that this reduces SSL/TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# strength to some attacks.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the OpenSSL SSL_CTX_set_options documentation for a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# more complete list.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clientca= File containing the list of CAs to use when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requesting a client certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-cafile= PEM file containing CA certificates to use when verifying
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client certificates. If not configured clientca will be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used. May be repeated to load multiple files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# capath= Directory containing additional CA certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and CRL lists to use when verifying client certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requires OpenSSL or LibreSSL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# crlfile= File of additional CRL lists to use when verifying
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the client certificate, in addition to CRLs stored in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the capath. Implies VERIFY_CRL flag below.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-dh=[curve:]file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# File containing DH parameters for temporary/ephemeral DH key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# exchanges, optionally prefixed by a curve for ephemeral ECDH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# key exchanges.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See OpenSSL documentation for details on how to create the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DH parameter file. Supported curves for ECDH can be listed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using the "openssl ecparam -list_curves" command.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: EDH and EECDH ciphers will be silently disabled if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this option is not set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslflags= Various flags modifying the use of SSL:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DELAYED_AUTH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't request client certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# immediately, but wait until acl processing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requires a certificate (not yet implemented).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NO_SESSION_REUSE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't allow for session reuse. Each connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will result in a new SSL session.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# VERIFY_CRL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Verify CRL lists when accepting client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# VERIFY_CRL_ALL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Verify CRL lists for all certificates in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client certificate chain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-default-ca[=off]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether to use the system Trusted CAs. Default is OFF.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslcontext= SSL session ID context identifier.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Other Options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection-auth[=on|off]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use connection-auth=off to tell Squid to prevent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forwarding Microsoft connection oriented authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (NTLM, Negotiate and Kerberos)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disable-pmtu-discovery=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Control Path-MTU discovery usage:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# off lets OS decide on what to do (default).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transparent disable PMTU discovery when transparent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# support is enabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always disable always PMTU discovery.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In many setups of transparently intercepting proxies
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Path-MTU discovery can not work on traffic towards the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clients. This is the case when the intercepting device
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# does not fully track connections and fails to forward
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICMP must fragment messages to the cache server. If you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have such setup and experience that certain clients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sporadically hang or never complete requests set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disable-pmtu-discovery option to 'transparent'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# name= Specifies a internal name for the port. Defaults to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the port specification (port or addr:port)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcpkeepalive[=idle,interval,timeout]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable TCP keepalive probes of idle connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In seconds; idle is the initial time before TCP starts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# probing the connection, interval how often to probe, and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# timeout the time before giving up.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# require-proxy-header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Require PROXY protocol version 1 or 2 connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The proxy_protocol_access is required to whitelist
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# downstream proxies which can be trusted.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you run Squid on a dual-homed machine with an internal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and an external interface we recommend you to specify the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# internal address:port in http_port. This way Squid will only be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# visible on the internal address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid normally listens to port 3128
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+http_port @PROXY_SERVER@:3128
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: https_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The socket address where Squid will listen for client requests made
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# over TLS or SSL connections. Commonly referred to as HTTPS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is most useful for situations where you are running squid in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accelerator mode and you want to do the TLS work at the accelerator
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# level.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You may specify multiple socket addresses on multiple lines,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# each with their own certificate and/or options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The tls-cert= option is mandatory on HTTPS ports.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http_port for a list of modes and options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ftp_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enables Native FTP proxy by specifying the socket address where Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# listens for FTP client requests. See http_port directive for various
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ways to specify the listening address and mode.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: ftp_port address [mode] [options]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: This is a new, experimental, complex feature that has seen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limited production exposure. Some Squid modules (e.g., caching) do not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# currently work with native FTP proxying, and many features have not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# even been tested for compatibility. Test well before deploying!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Native FTP proxying differs substantially from proxying HTTP requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with ftp:// URIs because Squid works as an FTP server and receives
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# actual FTP commands (rather than HTTP requests with FTP URLs).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Native FTP commands accepted at ftp_port are internally converted or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wrapped into HTTP-like messages. The same happens to Native FTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# responses received from FTP origin servers. Those HTTP-like messages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are shoveled through regular access control and adaptation layers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# between the FTP client and the FTP origin server. This allows Squid to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# examine, adapt, block, and log FTP exchanges. Squid reuses most HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mechanisms when shoveling wrapped FTP messages. For example,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_access and adaptation_access directives are used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Modes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intercept Same as http_port intercept. The FTP origin address is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# determined based on the intended destination of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intercepted connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tproxy Support Linux TPROXY for spoofing outgoing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections using the client IP address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NP: disables authentication and maybe IPv6 on the port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default (i.e., without an explicit mode option), Squid extracts the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FTP origin address from the login@origin parameter of the FTP USER
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# command. Many popular FTP clients support such native FTP proxying.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# name=token Specifies an internal name for the port. Defaults to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the port address. Usable with myportname ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ftp-track-dirs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enables tracking of FTP directories by injecting extra
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PWD commands and adjusting Request-URI (in wrapping
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP requests) to reflect the current FTP server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directory. Tracking is disabled by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# protocol=FTP Protocol to reconstruct accelerated and intercepted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests with. Defaults to FTP. No other accepted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# values have been tested with. An unsupported value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# results in a FATAL error. Accepted values are FTP,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP (or HTTP/1.1), and HTTPS (or HTTPS/1.1).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Other http_port modes and options that are not specific to HTTP and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTPS may also work.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: tcp_outgoing_tos
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allows you to select a TOS/Diffserv value for packets outgoing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the server side, based on an ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_tos ds-field [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example where normal_service_net uses the TOS value 0x00
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and good_service_net uses 0x20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl normal_service_net src 10.0.0.0/24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl good_service_net src 10.0.1.0/24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_tos 0x00 normal_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_tos 0x20 good_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TOS/DSCP values really only have local significance - so you should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# know what you're specifying. For more information, see RFC2474,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RFC2475, and RFC3260.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "default" to use whatever default your host has.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that only multiples of 4 are usable as the two rightmost bits have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# been redefined for use by ECN (RFC 3168 section 23.1).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The squid parser will enforce this by masking away the ECN bits.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Processing proceeds in the order specified, and stops at first fully
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matching line.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only fast ACLs are supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: clientside_tos
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allows you to select a TOS/DSCP value for packets being transmitted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the client-side, based on an ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clientside_tos ds-field [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example where normal_service_net uses the TOS value 0x00
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and good_service_net uses 0x20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl normal_service_net src 10.0.0.0/24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl good_service_net src 10.0.1.0/24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clientside_tos 0x00 normal_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clientside_tos 0x20 good_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This feature is incompatible with qos_flows. Any TOS values set here
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be overwritten by TOS values in qos_flows.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "default" to use whatever default your host has.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that only multiples of 4 are usable as the two rightmost bits have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# been redefined for use by ECN (RFC 3168 section 23.1).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The squid parser will enforce this by masking away the ECN bits.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: tcp_outgoing_mark
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Packet MARK (Linux)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allows you to apply a Netfilter mark value to outgoing packets
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the server side, based on an ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_mark mark-value [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example where normal_service_net uses the mark value 0x00
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and good_service_net uses 0x20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl normal_service_net src 10.0.0.0/24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl good_service_net src 10.0.1.0/24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_mark 0x00 normal_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_mark 0x20 good_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only fast ACLs are supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: clientside_mark
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Packet MARK (Linux)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allows you to apply a Netfilter mark value to packets being transmitted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the client-side, based on an ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clientside_mark mark-value [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example where normal_service_net uses the mark value 0x00
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and good_service_net uses 0x20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl normal_service_net src 10.0.0.0/24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl good_service_net src 10.0.1.0/24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clientside_mark 0x00 normal_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clientside_mark 0x20 good_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This feature is incompatible with qos_flows. Any mark values set here
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be overwritten by mark values in qos_flows.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: qos_flows
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allows you to select a TOS/DSCP value to mark outgoing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections to the client, based on where the reply was sourced.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For platforms using netfilter, allows you to set a netfilter mark
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value instead of, or in addition to, a TOS value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default this functionality is disabled. To enable it with the default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings simply use "qos_flows mark" or "qos_flows tos". Default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# settings will result in the netfilter mark or TOS value being copied
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from the upstream connection to the client. Note that it is the connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CONNMARK value not the packet MARK value that is copied.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is not currently possible to copy the mark or TOS value from the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client to the upstream connection request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TOS values really only have local significance - so you should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# know what you're specifying. For more information, see RFC2474,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RFC2475, and RFC3260.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The TOS/DSCP byte must be exactly that - a octet value 0 - 255.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that only multiples of 4 are usable as the two rightmost bits have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# been redefined for use by ECN (RFC 3168 section 23.1).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The squid parser will enforce this by masking away the ECN bits.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mark values can be any unsigned 32-bit integer value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This setting is configured by setting the following values:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tos|mark Whether to set TOS or netfilter mark values
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# local-hit=0xFF Value to mark local cache hits.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sibling-hit=0xFF Value to mark hits from sibling peers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parent-hit=0xFF Value to mark hits from parent peers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# miss=0xFF[/mask] Value to mark cache misses. Takes precedence
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# over the preserve-miss feature (see below), unless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mask is specified, in which case only the bits
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specified in the mask are written.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The TOS variant of the following features are only possible on Linux
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and require your kernel to be patched with the TOS preserving ZPH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# patch, available from http://zph.bratcheda.org
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No patch is needed to preserve the netfilter mark, which will work
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with all variants of netfilter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disable-preserve-miss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option disables the preservation of the TOS or netfilter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mark. By default, the existing TOS or netfilter mark value of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the response coming from the remote server will be retained
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and masked with miss-mark.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: in the case of a netfilter mark, the mark must be set on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the connection (using the CONNMARK target) not on the packet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (MARK target).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# miss-mask=0xFF
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allows you to mask certain bits in the TOS or mark value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# received from the remote server, before copying the value to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the TOS sent towards clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default for tos: 0xFF (TOS from server is not changed).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default for mark: 0xFFFFFFFF (mark from server is not changed).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# All of these features require the --enable-zph-qos compilation flag
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (enabled by default). Netfilter marking also requires the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# libnetfilter_conntrack libraries (--with-netfilter-conntrack) and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# libcap 2.09+ (--with-libcap).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: tcp_outgoing_address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allows you to map requests to different outgoing IP addresses
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# based on the username or source address of the user making
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_address ipaddr [[!]aclname] ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Forwarding clients with dedicated IPs for certain subnets.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl normal_service_net src 10.0.0.0/24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl good_service_net src 10.0.2.0/24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_address 2001:db8::c001 good_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_address 10.1.0.2 good_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_address 2001:db8::beef normal_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_address 10.1.0.1 normal_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_address 2001:db8::1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp_outgoing_address 10.1.0.3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Processing proceeds in the order specified, and stops at first fully
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matching line.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid will add an implicit IP version test to each line.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: The use of this directive using client dependent ACLs is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# incompatible with the use of server side persistent connections. To
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ensure correct results it is best to set server_persistent_connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to off when using this directive in such configurations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: The use of this directive to set a local IP on outgoing TCP links
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is incompatible with using TPROXY to set client IP out outbound TCP links.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When needing to contact peers use the no-tproxy cache_peer option and the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_dst_passthru directive re-enable normal forwarding such as this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Address selection is performed by the operating system.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: host_verify_strict
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Regardless of this option setting, when dealing with intercepted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# traffic, Squid always verifies that the destination IP address matches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the Host header domain or IP (called 'authority form URL').
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This enforcement is performed to satisfy a MUST-level requirement in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RFC 2616 section 14.23: "The Host field value MUST represent the naming
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authority of the origin server or gateway given by the original URL".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When set to ON:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid always responds with an HTTP 409 (Conflict) error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# page and logs a security warning if there is no match.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid verifies that the destination IP address matches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the Host header for forward-proxy and reverse-proxy traffic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as well. For those traffic types, Squid also enables the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# following checks, comparing the corresponding Host header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and Request-URI components:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * The host names (domain or IP) must be identical,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but valueless or missing Host header disables all checks.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For the two host names to match, both must be either IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or FQDN.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * Port numbers must be identical, but if a port is missing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the scheme-default port is assumed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When set to OFF (the default):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid allows suspicious requests to continue but logs a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# security warning and blocks caching of the response.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * Forward-proxy traffic is not checked at all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * Reverse-proxy traffic is not checked at all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * Intercepted traffic which passes verification is handled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# according to client_dst_passthru.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * Intercepted requests which fail verification are sent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to the client original destination instead of DIRECT.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This overrides 'client_dst_passthru off'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For now suspicious intercepted CONNECT requests are always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# responded to with an HTTP 409 (Conflict) error page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SECURITY NOTE:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# As described in CVE-2009-0801 when the Host: header alone is used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to determine the destination of a request it becomes trivial for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# malicious scripts on remote websites to bypass browser same-origin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# security policy and sandboxing protections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The cause of this is that such applets are allowed to perform their
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# own HTTP stack, in which case the same-origin policy of the browser
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sandbox only verifies that the applet tries to contact the same IP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as from where it was loaded at the IP level. The Host: header may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be different from the connected IP and approved origin.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# host_verify_strict off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: client_dst_passthru
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With NAT or TPROXY intercepted traffic Squid may pass the request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directly to the original client destination IP or seek a faster
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# source using the HTTP Host header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Using Host to locate alternative servers can provide faster
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connectivity with a range of failure recovery options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# But can also lead to connectivity trouble when the client and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server are attempting stateful interactions unaware of the proxy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option (on by default) prevents alternative DNS entries being
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# located to send intercepted traffic DIRECT to an origin server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The clients original destination IP and port will be used instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Regardless of this option setting, when dealing with intercepted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# traffic Squid will verify the Host: header and any traffic which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fails Host verification will be treated as if this option were ON.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# see host_verify_strict for details on the verification process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_dst_passthru on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TLS OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: tls_outgoing_options
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disable Do not support https:// URLs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cert=/path/to/client/certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A client X.509 certificate to use when connecting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# key=/path/to/client/private_key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The private key corresponding to the cert= above.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If key= is not specified cert= is assumed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reference a PEM file containing both the certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and private key.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cipher=... The list of valid TLS ciphers to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# min-version=1.N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The minimum TLS protocol version to permit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To control SSLv3 use the options= parameter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Supported Values: 1.0 (default), 1.1, 1.2, 1.3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# options=... Specify various TLS/SSL implementation options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OpenSSL options most important are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NO_SSLv3 Disallow the use of SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SINGLE_DH_USE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Always create a new key when using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# temporary/ephemeral DH key exchanges
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NO_TICKET
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Disable use of RFC5077 session tickets.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some servers may have problems
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# understanding the TLS extension due
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to ambiguous specification in RFC4507.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ALL Enable various bug workarounds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# suggested as "harmless" by OpenSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Be warned that this reduces SSL/TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# strength to some attacks.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the OpenSSL SSL_CTX_set_options documentation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for a more complete list.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# GnuTLS options most important are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %NO_TICKETS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Disable use of RFC5077 session tickets.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some servers may have problems
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# understanding the TLS extension due
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to ambiguous specification in RFC4507.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the GnuTLS Priority Strings documentation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for a more complete list.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://www.gnutls.org/manual/gnutls.html#Priority-Strings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cafile= PEM file containing CA certificates to use when verifying
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the peer certificate. May be repeated to load multiple files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# capath= A directory containing additional CA certificates to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use when verifying the peer certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requires OpenSSL or LibreSSL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# crlfile=... A certificate revocation list file to use when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# verifying the peer certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flags=... Specify various flags modifying the TLS implementation:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DONT_VERIFY_PEER
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Accept certificates even if they fail to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# verify.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DONT_VERIFY_DOMAIN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't verify the peer certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matches the server name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default-ca[=off]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether to use the system Trusted CAs. Default is ON.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# domain= The peer name as advertised in its certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Used for verifying the correctness of the received peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate. If not specified the peer hostname will be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls_outgoing_options min-version=1.0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ssl_unclean_shutdown
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some browsers (especially MSIE) bugs out on SSL shutdown
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# messages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_unclean_shutdown off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ssl_engine
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The OpenSSL engine to use. You will need to set this if you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# would like to use hardware SSL acceleration for example.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_session_ttl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets the timeout value for SSL sessions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslproxy_session_ttl 300
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_session_cache_size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets the cache size to use for ssl session
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslproxy_session_cache_size 2 MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_foreign_intermediate_certs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Many origin servers fail to send their full server certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# chain for verification, assuming the client already has or can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# easily locate any missing intermediate certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid uses the certificates from the specified file to fill in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# these missing chains when trying to validate origin server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate chains.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The file is expected to contain zero or more PEM-encoded
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intermediate certificates. These certificates are not treated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as trusted root certificates, and any self-signed certificate in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this file will be ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_cert_sign_hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets the hashing algorithm to use when signing generated certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Valid algorithm names depend on the OpenSSL library used. The following
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# names are usually available: sha1, sha256, sha512, and md5. Please see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# your OpenSSL library manual for the available hashes. By default, Squids
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that support this option use sha256 hashes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid does not forcefully purge cached certificates that were generated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with an algorithm other than the currently configured one. They remain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in the cache, subject to the regular cache eviction policy, and become
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# useful if the algorithm changes again.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ssl_bump
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is consulted when a CONNECT request is received on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an http_port (or a new connection is intercepted at an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https_port), provided that port was configured with an ssl-bump
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flag. The subsequent data on the connection is either treated as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTPS and decrypted OR tunneled at TCP level without decryption,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# depending on the first matching bumping "action".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_bump <action> [!]acl ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following bumping actions are currently supported:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# splice
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Become a TCP tunnel without decrypting proxied traffic.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the default action.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bump
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When used on step SslBump1, establishes a secure connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with the client first, then connect to the server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When used on step SslBump2 or SslBump3, establishes a secure
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection with the server and, using a mimicked server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate, with the client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# peek
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Receive client (step SslBump1) or server (step SslBump2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate while preserving the possibility of splicing the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection. Peeking at the server certificate (during step 2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# usually precludes bumping of the connection at step 3.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# stare
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Receive client (step SslBump1) or server (step SslBump2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate while preserving the possibility of bumping the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection. Staring at the server certificate (during step 2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# usually precludes splicing of the connection at step 3.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# terminate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Close client and server connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Backward compatibility actions available at step SslBump1:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client-first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Bump the connection. Establish a secure connection with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client first, then connect to the server. This old mode does
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not allow Squid to mimic server SSL certificate and does not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# work with intercepted SSL connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server-first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Bump the connection. Establish a secure connection with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server first, then establish a secure connection with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client, using a mimicked server certificate. Works with both
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CONNECT requests and intercepted SSL connections, but does
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not allow to make decisions based on SSL handshake info.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# peek-and-splice
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Decide whether to bump or splice the connection based on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client-to-squid and server-to-squid SSL hello messages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# XXX: Remove.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Same as the "splice" action.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# All ssl_bump rules are evaluated at each of the supported bumping
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# steps. Rules with actions that are impossible at the current step are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignored. The first matching ssl_bump action wins and is applied at the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# end of the current step. If no rules match, the splice action is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the at_step ACL for a list of the supported SslBump steps.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause supports both fast and slow acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: http_port ssl-bump, https_port ssl-bump, and acl at_step.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Example: Bump all TLS connections except those originating from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # localhost or those going to example.com.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl broken_sites ssl::server_name .example.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_bump splice localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_bump splice broken_sites
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl_bump bump all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Become a TCP tunnel without decrypting proxied traffic.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_cert_error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this ACL to bypass server certificate validation errors.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example, the following lines will bypass all validation errors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when talking to servers for example.com. All other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# validation errors will result in ERR_SECURE_CONNECT_FAIL error.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl BrokenButTrustedServers dstdomain example.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslproxy_cert_error allow BrokenButTrustedServers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslproxy_cert_error deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Using slow acl types may result in server crashes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Without this option, all server certificate validation errors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# terminate the transaction to protect Squid and the client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but should not happen unless your OpenSSL library is buggy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SECURITY WARNING:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Bypassing validation errors is dangerous because an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# error usually implies that the server cannot be trusted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and the connection may be insecure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: sslproxy_flags and DONT_VERIFY_PEER.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Server certificate errors terminate the transaction.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_cert_sign
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslproxy_cert_sign <signing algorithm> acl ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following certificate signing algorithms are supported:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# signTrusted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sign using the configured CA certificate which is usually
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# placed in and trusted by end-user browsers. This is the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default for trusted origin server certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# signUntrusted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the default for untrusted origin server certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that are not self-signed (see ssl::certUntrusted).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# signSelf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sign using a self-signed certificate with the right CN to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# browser. This is the default for self-signed origin server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificates (see ssl::certSelfSigned).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# signing algorithm to generate the certificate and ignores all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# subsequent sslproxy_cert_sign options (the first match wins). If no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl(s) match, the default signing algorithm is determined by errors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# detected when obtaining and validating the origin server certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CONNECT request that carries a domain name. In all other cases (CONNECT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to an IP address or an intercepted SSL connection), Squid cannot detect
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the domain mismatch at certificate generation time when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bump-server-first is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslproxy_cert_adapt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslproxy_cert_adapt <adaptation algorithm> acl ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following certificate adaptation algorithms are supported:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# setValidAfter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets the "Not After" property to the "Not After" property of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the CA certificate used to sign generated certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# setValidBefore
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets the "Not Before" property to the "Not Before" property of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the CA certificate used to sign generated certificates.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# setCommonName or setCommonName{CN}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets Subject.CN property to the host name specified as a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CN parameter or, if no explicit CN parameter was specified,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# extracted from the CONNECT request. It is a misconfiguration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to use setCommonName without an explicit parameter for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intercepted or tproxied SSL connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# corresponding adaptation algorithm to generate the certificate and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignores all subsequent sslproxy_cert_adapt options in that algorithm's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# group (i.e., the first match wins within each algorithm group). If no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl(s) match, the default mimicking action takes place.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CONNECT request that carries a domain name. In all other cases (CONNECT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to an IP address or an intercepted SSL connection), Squid cannot detect
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the domain mismatch at certificate generation time when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bump-server-first is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslpassword_program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify a program used for entering SSL key passphrases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when using encrypted SSL certificate keys. If not specified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# keys must either be unencrypted, or Squid started with the -N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option to allow it to query interactively for the passphrase.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The key file name is given as argument to the program allowing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# selection of the right password if you have multiple encrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# keys.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS RELATING TO EXTERNAL SSL_CRTD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslcrtd_program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-ssl-crtd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the location and options of the executable for certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# generator.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# @PREFIX@/libexec/squid/security_file_certgen program can use a disk cache to improve response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# times on repeated requests. To enable caching, specify -s and -M
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parameters. If those parameters are not given, the program generates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a new certificate on every request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For more information use:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# @PREFIX@/libexec/squid/security_file_certgen -h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslcrtd_program @PREFIX@/libexec/squid/security_file_certgen -s @PREFIX@/var/squid/cache/ssl_db -M 4MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslcrtd_children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-ssl-crtd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies the maximum number of certificate generation processes that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid may spawn (numberofchildren) and several related options. Using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# too few of these helper processes (a.k.a. "helpers") creates request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queues. Using too many helpers wastes your system resources. Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# does not support spawning more than 32 helpers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: numberofchildren [option]...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The startup= and idle= options allow some measure of skew in your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tuning.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# startup=N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets the minimum number of processes to spawn when Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# starts or reconfigures. When set to zero the first request will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cause spawning of the first child process to handle it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Starting too few children temporary slows Squid under load while it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tries to spawn enough additional processes to cope with traffic.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# idle=N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets a minimum of how many processes Squid is to try and keep available
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# at all times. When traffic begins to rise above what the existing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# processes can handle this many more will be spawned up to the maximum
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configured. A minimum setting of 1 is required.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queue-size=N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets the maximum number of queued requests. A request is queued when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no existing child is idle and no new child can be started due to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# numberofchildren limit. If the queued requests exceed queue size for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# more than 3 minutes squid aborts its operation. The default value is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set to 2*numberofchildren.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You must have at least one ssl_crtd process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslcrtd_children 32 startup=5 idle=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslcrtvalidator_program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the location and options of the executable for ssl_crt_validator
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: sslcrtvalidator_program [ttl=n] [cache=n] path ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ttl=n TTL in seconds for cached results. The default is 60 secs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache=n limit the result cache size. The default value is 2048
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sslcrtvalidator_children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies the maximum number of certificate validation processes that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid may spawn (numberofchildren) and several related options. Using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# too few of these helper processes (a.k.a. "helpers") creates request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queues. Using too many helpers wastes your system resources. Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# does not support spawning more than 32 helpers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: numberofchildren [option]...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The startup= and idle= options allow some measure of skew in your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tuning.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# startup=N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets the minimum number of processes to spawn when Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# starts or reconfigures. When set to zero the first request will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cause spawning of the first child process to handle it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Starting too few children temporary slows Squid under load while it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tries to spawn enough additional processes to cope with traffic.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# idle=N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets a minimum of how many processes Squid is to try and keep available
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# at all times. When traffic begins to rise above what the existing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# processes can handle this many more will be spawned up to the maximum
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configured. A minimum setting of 1 is required.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# concurrency=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The number of requests each certificate validator helper can handle in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parallel. A value of 0 indicates the certficate validator does not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# support concurrency. Defaults to 1.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When this directive is set to a value >= 1 then the protocol
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used to communicate with the helper is modified to include
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a request ID in front of the request/response. The request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ID from the request must be echoed back with the response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to that request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queue-size=N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets the maximum number of queued requests. A request is queued when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no existing child can accept it due to concurrency limit and no new
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# child can be started due to numberofchildren limit. If the queued
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests exceed queue size for more than 3 minutes squid aborts its
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# operation. The default value is set to 2*numberofchildren.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You must have at least one ssl_crt_validator process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslcrtvalidator_children 32 startup=5 idle=1 concurrency=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To specify other caches in a hierarchy, use the format:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer hostname type http-port icp-port [options]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # proxy icp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # hostname type port port options
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # -------------------- -------- ----- ----- -----------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer parent.foo.net parent 3128 3130 default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer sib1.foo.net sibling 3128 3130 proxy-only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer sib2.foo.net sibling 3128 3130 proxy-only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer example.com parent 80 0 default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer cdn.example.com sibling 3128 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# type: either 'parent', 'sibling', or 'multicast'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxy-port: The port number where the peer accept HTTP requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For other Squid proxies this is usually 3128
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For web servers this is usually 80
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icp-port: Used for querying neighbor caches about objects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set to 0 if the peer does not support ICP or HTCP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See ICP and HTCP options below for additional details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== ICP OPTIONS ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You MUST also set icp_port and icp_access explicitly when using these options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The defaults will prevent peer traffic using ICP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no-query Disable ICP queries to this neighbor.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# multicast-responder
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Indicates the named peer is a member of a multicast group.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICP queries will not be sent directly to the peer, but ICP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replies will be accepted from it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# background-ping
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To only send ICP queries to this neighbor infrequently.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is used to keep the neighbor round trip time updated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and is usually used in conjunction with weighted-round-robin.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== HTCP OPTIONS ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You MUST also set htcp_port and htcp_access explicitly when using these options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The defaults will prevent peer traffic using HTCP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# htcp Send HTCP, instead of ICP, queries to the neighbor.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You probably also want to set the "icp-port" to 4827
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead of 3130. This directive accepts a comma separated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# list of options described below.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# htcp=oldsquid Send HTCP to old Squid versions (2.5 or earlier).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# htcp=no-clr Send HTCP to the neighbor but without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sending any CLR requests. This cannot be used with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only-clr.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# htcp=only-clr Send HTCP to the neighbor but ONLY CLR requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This cannot be used with no-clr.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# htcp=no-purge-clr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Send HTCP to the neighbor including CLRs but only when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# they do not result from PURGE requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# htcp=forward-clr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Forward any HTCP CLR requests this proxy receives to the peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== PEER SELECTION METHODS ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default peer selection method is ICP, with the first responding peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# being used as source. These options can be used for better load balancing.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default This is a parent cache which can be used as a "last-resort"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if a peer cannot be located by any of the peer-selection methods.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If specified more than once, only the first is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# round-robin Load-Balance parents which should be used in a round-robin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fashion in the absence of any ICP queries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# weight=N can be used to add bias.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# weighted-round-robin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Load-Balance parents which should be used in a round-robin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fashion with the frequency of each parent being based on the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# round trip time. Closer parents are used more often.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usually used for background-ping parents.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# weight=N can be used to add bias.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# carp Load-Balance parents which should be used as a CARP array.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The requests will be distributed among the parents based on the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CARP load balancing hash function based on their weight.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# userhash Load-balance parents based on the client proxy_auth or ident username.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sourcehash Load-balance parents based on the client source IP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# multicast-siblings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To be used only for cache peers of type "multicast".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ALL members of this multicast group have "sibling"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# relationship with it, not "parent". This is to a multicast
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# group when the requested object would be fetched only from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a "parent" cache, anyway. It's useful, e.g., when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuring a pool of redundant Squid proxies, being
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# members of the same multicast group.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== PEER SELECTION OPTIONS ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# weight=N use to affect the selection of a peer during any weighted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# peer-selection mechanisms.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The weight must be an integer; default is 1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# larger weights are favored more.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option does not affect parent selection if a peering
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# protocol is not in use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# basetime=N Specify a base amount to be subtracted from round trip
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# times of parents.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is subtracted before division by weight in calculating
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which parent to fectch from. If the rtt is less than the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# base time the rtt is set to a minimal value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ttl=N Specify a TTL to use when sending multicast ICP queries
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to this address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only useful when sending to a multicast group.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Because we don't accept ICP replies from random
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hosts, you must configure other group members as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# peers with the 'multicast-responder' option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no-delay To prevent access to this neighbor from influencing the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay pools.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# digest-url=URL Tell Squid to fetch the cache digest (if digests are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enabled) for this host from the specified URL rather
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# than the Squid default location.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== CARP OPTIONS ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# carp-key=key-specification
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use a different key than the full URL to hash against the peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the key-specification is a comma-separated list of the keywords
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# scheme, host, port, path, params
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Order is not important.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# originserver Causes this parent to be contacted as an origin server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Meant to be used in accelerator setups when the peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is a web server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forceddomain=name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set the Host header of requests forwarded to this peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Useful in accelerator setups where the server (peer)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expects a certain domain name but clients may request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# others. ie example.com or www.example.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no-digest Disable request of cache digests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no-netdb-exchange
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Disables requesting ICMP RTT database (NetDB).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== AUTHENTICATION OPTIONS ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# login=user:password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this is a personal/workgroup proxy and your parent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requires proxy authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: The string can include URL escapes (i.e. %20 for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# spaces). This also means % must be written as %%.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# login=PASSTHRU
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Send login details received from client to this peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Both Proxy- and WWW-Authorization headers are passed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# without alteration to the peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication is not required by Squid for this to work.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This will pass any form of authentication but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only Basic auth will work through a proxy unless the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection-auth options are also used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# login=PASS Send login details received from client to this peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Authentication is not required by this option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If there are no client-provided authentication headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to pass on, but username and password are available
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from an external ACL user= and password= result tags
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# they may be sent instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: To combine this with proxy_auth both proxies must
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# share the same user database as HTTP only allows for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a single login (one for proxy, one for origin server).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also be warned this will expose your users proxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password to the peer. USE WITH CAUTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# login=*:password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Send the username to the upstream cache, but with a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fixed password. This is meant to be used when the peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is in another administrative domain, but it is still
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# needed to identify each user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The star can optionally be followed by some extra
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# information which is added to the username. This can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be used to identify this proxy to the peer, similar to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the login=username:password option above.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# login=NEGOTIATE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this is a personal/workgroup proxy and your parent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requires a secure proxy authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The first principal from the default keytab or defined by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the environment variable KRB5_KTNAME will be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: The connection may transmit requests from multiple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clients. Negotiate often assumes end-to-end authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and a single-client. Which is not strictly true here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# login=NEGOTIATE:principal_name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this is a personal/workgroup proxy and your parent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requires a secure proxy authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The principal principal_name from the default keytab or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# defined by the environment variable KRB5_KTNAME will be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: The connection may transmit requests from multiple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clients. Negotiate often assumes end-to-end authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and a single-client. Which is not strictly true here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection-auth=on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Tell Squid that this peer does or not support Microsoft
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection oriented authentication, and any such
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# challenges received from there should be ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default is auto to automatically determine the status
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth-no-keytab
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not use a keytab to authenticate to a peer when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# login=NEGOTIATE is specified. Let the GSSAPI
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# implementation determine which already existing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# credentials cache to use instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== SSL / HTTPS / TLS OPTIONS ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls Encrypt connections to this peer with TLS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslcert=/path/to/ssl/certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A client X.509 certificate to use when connecting to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslkey=/path/to/ssl/key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The private key corresponding to sslcert above.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If sslkey= is not specified sslcert= is assumed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reference a PEM file containing both the certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and private key.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslcipher=... The list of valid SSL ciphers to use when connecting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to this peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-min-version=1.N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The minimum TLS protocol version to permit. To control
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSLv3 use the tls-options= parameter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Supported Values: 1.0 (default), 1.1, 1.2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-options=... Specify various TLS implementation options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OpenSSL options most important are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NO_SSLv3 Disallow the use of SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SINGLE_DH_USE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Always create a new key when using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# temporary/ephemeral DH key exchanges
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NO_TICKET
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Disable use of RFC5077 session tickets.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some servers may have problems
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# understanding the TLS extension due
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to ambiguous specification in RFC4507.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ALL Enable various bug workarounds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# suggested as "harmless" by OpenSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Be warned that this reduces SSL/TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# strength to some attacks.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the OpenSSL SSL_CTX_set_options documentation for a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# more complete list.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# GnuTLS options most important are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %NO_TICKETS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Disable use of RFC5077 session tickets.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some servers may have problems
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# understanding the TLS extension due
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to ambiguous specification in RFC4507.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the GnuTLS Priority Strings documentation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for a more complete list.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://www.gnutls.org/manual/gnutls.html#Priority-Strings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-cafile= PEM file containing CA certificates to use when verifying
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the peer certificate. May be repeated to load multiple files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslcapath=... A directory containing additional CA certificates to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use when verifying the peer certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requires OpenSSL or LibreSSL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslcrlfile=... A certificate revocation list file to use when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# verifying the peer certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sslflags=... Specify various flags modifying the SSL implementation:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DONT_VERIFY_PEER
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Accept certificates even if they fail to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# verify.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DONT_VERIFY_DOMAIN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't verify the peer certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matches the server name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssldomain= The peer name as advertised in it's certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Used for verifying the correctness of the received peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate. If not specified the peer hostname will be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# front-end-https[=off|on|auto]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable the "Front-End-Https: On" header needed when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using Squid as a SSL frontend in front of Microsoft OWA.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See MS KB document Q307347 for details on this header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to auto the header will only be added if the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request is forwarded as a https:// URL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-default-ca[=off]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether to use the system Trusted CAs. Default is ON.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== GENERAL OPTIONS ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect-timeout=N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A peer-specific connect timeout.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also see the peer_connect_timeout directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect-fail-limit=N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How many times connecting to a peer must fail before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it is marked as down. Standby connection failures
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# count towards this limit. Default is 10.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow-miss Disable Squid's use of only-if-cached when forwarding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests to siblings. This is primarily useful when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icp_hit_stale is used by the sibling. Excessive use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of this option may result in forwarding loops. One way
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to prevent peering loops when using this option, is to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deny cache peer usage on requests from a peer:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl fromPeer ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer_access peerName deny fromPeer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max-conn=N Limit the number of concurrent connections the Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may open to this peer, including already opened idle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and standby connections. There is no peer-specific
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection limit by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A peer exceeding the limit is not used for new
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests unless a standby connection is available.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max-conn currently works poorly with idle persistent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections: When a peer reaches its max-conn limit,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and there are idle persistent connections to the peer,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the peer may not be selected because the limiting code
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# does not know whether Squid can reuse those idle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# standby=N Maintain a pool of N "hot standby" connections to an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UP peer, available for requests when no idle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# persistent connection is available (or safe) to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default and with zero N, no such pool is maintained.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# N must not exceed the max-conn limit (if any).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# At start or after reconfiguration, Squid opens new TCP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# standby connections until there are N connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# available and then replenishes the standby pool as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# opened connections are used up for requests. A used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection never goes back to the standby pool, but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may go to the regular idle persistent connection pool
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shared by all peers and origin servers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid never opens multiple new standby connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# concurrently. This one-at-a-time approach minimizes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# flooding-like effect on peers. Furthermore, just a few
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# standby connections should be sufficient in most cases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to supply most new requests with a ready-to-use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Standby connections obey server_idle_pconn_timeout.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For the feature to work as intended, the peer must be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configured to accept and keep them open longer than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the idle timeout at the connecting Squid, to minimize
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# race conditions typical to idle used persistent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections. Default request_timeout and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server_idle_pconn_timeout values ensure such a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# name=xxx Unique name for the peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Required if you have multiple peers on the same host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but different ports.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This name can be used in cache_peer_access and similar
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directives to identify the peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Can be used by outgoing access controls through the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# peername ACL type.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no-tproxy Do not use the client-spoof TPROXY support when forwarding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests to this peer. Use normal address selection instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This overrides the spoof_client_ip ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxy-only objects fetched from the peer will not be stored locally.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://www.privoxy.org/user-manual/config.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Define Privoxy as parent proxy (without ICP)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cache_peer @PROXY_SERVER@ parent 8118 0 no-digest no-query default name=privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If privoxy is run on the LAN:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#cache_peer 10.0.1.3 parent 8118 0 no-digest no-query default name=privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# I2P
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer @PROXY_SERVER@ parent 4443 0 no-digest no-query default name=i2p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_peer_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Restricts usage of cache_peer proxies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer_access peer-name allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For the required peer-name parameter, use either the value of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer name=value parameter or, if name=value is missing, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer hostname parameter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive narrows down the selection of peering candidates, but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# does not determine the order in which the selected candidates are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# contacted. That order is determined by the peer selection algorithms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (see PEER SELECTION sections in the cache_peer documentation).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If a deny rule matches, the corresponding peer will not be contacted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for the current transaction -- Squid will not send ICP queries and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will not forward HTTP requests to that peer. An allow match leaves
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the corresponding peer in the selection. The first match for a given
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# peer wins for that peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The relative order of cache_peer_access directives for the same peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matters. The relative order of any two cache_peer_access directives
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for different peers does not matter. To ease interpretation, it is a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# good idea to group cache_peer_access directives for the same peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# together.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A single cache_peer_access directive may be evaluated multiple times
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for a given transaction because individual peer selection algorithms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may check it independently from each other. These redundant checks
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may be optimized away in future Squid versions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No peer usage restrictions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deny CONNECT to privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cache_peer_access privoxy deny CONNECT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# I2P
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl i2p dstdomain -n .i2p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer_access i2p allow i2p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer_access i2p deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: neighbor_type_domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Modify the cache_peer neighbor type when passing requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# about specific domains to the peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# neighbor_type_domain neighbor parent|sibling domain domain ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_peer foo.example.com parent 3128 3130
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# neighbor_type_domain foo.example.com sibling .au .de
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The above configuration treats all requests to foo.example.com as a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parent proxy unless the request is for a .au or .de ccTLD domain name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The peer type from cache_peer directive is used for all requests to that peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: dead_peer_timeout (seconds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This controls how long Squid waits to declare a peer cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as "dead." If there are no ICP replies received in this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# amount of time, Squid will declare the peer dead and not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expect to receive any further ICP replies. However, it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# continues to send ICP queries, and will mark the peer as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# alive upon receipt of the first subsequent ICP reply.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This timeout also affects when Squid expects to receive ICP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replies from peers. If more than 'dead_peer' seconds have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# passed since the last ICP reply was received, Squid will not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expect to receive an ICP reply on the next query. Thus, if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# your time between requests is greater than this timeout, you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will see a lot of requests sent DIRECT to origin servers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead of to your parents.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dead_peer_timeout 10 seconds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: forward_max_tries
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Limits the number of attempts to forward the request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For the purpose of this limit, Squid counts all high-level request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forwarding attempts, including any same-destination retries after
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certain persistent connection failures and any attempts to use a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# different peer. However, low-level connection reopening attempts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (enabled using connect_retries) are not counted.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: forward_timeout and connect_retries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward_max_tries 25
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# MEMORY CACHE OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_mem (bytes)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'cache_mem' specifies the ideal amount of memory to be used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * In-Transit objects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * Hot Objects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * Negative-Cached objects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Data for these objects are stored in 4 KB blocks. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parameter specifies the ideal upper limit on the total size of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4 KB blocks allocated. In-Transit objects take the highest
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# priority.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In-transit objects have priority over the others. When
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# additional space is needed for incoming data, negative-cached
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and hot objects will be released. In other words, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# negative-cached and hot objects will fill up any unused space
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not needed for in-transit objects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If circumstances require, this limit will be exceeded.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifically, if your incoming request rate requires more than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'cache_mem' of memory to hold in-transit objects, Squid will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# exceed this limit to satisfy the new requests. When the load
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# decreases, blocks will be freed until the high-water mark is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reached. Thereafter, blocks will be used to store hot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# objects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If shared memory caching is enabled, Squid does not use the shared
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache space for in-transit objects, but they still consume as much
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# local memory as they need. For more details about the shared memory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache, see memory_cache_shared.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_mem 256 MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: maximum_object_size_in_memory (bytes)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Objects greater than this size will not be attempted to kept in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the memory cache. This should be set high enough to keep objects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accessed frequently in memory to improve performance whilst low
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enough to keep larger objects from hoarding cache_mem.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maximum_object_size_in_memory 512 KB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+maximum_object_size_in_memory 64 KB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: memory_cache_shared on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Controls whether the memory cache is shared among SMP workers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The shared memory cache is meant to occupy cache_mem bytes and replace
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the non-shared memory cache, although some entities may still be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cached locally by workers for now (e.g., internal and in-transit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# objects may be served from a local memory cache even if shared memory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# caching is enabled).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, the memory cache is shared if and only if all of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# following conditions are satisfied: Squid runs in SMP mode with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# multiple workers, cache_mem is positive, and Squid environment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supports required IPC primitives (e.g., POSIX shared memory segments
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and GCC-style atomic operations).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To avoid blocking locks, shared memory uses opportunistic algorithms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that do not guarantee that every cachable entity that could have been
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shared among SMP workers will actually be shared.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "on" where supported if doing memory caching with multiple SMP workers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: memory_cache_mode
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Controls which objects to keep in the memory cache (cache_mem)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always Keep most recently fetched objects in memory (default)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disk Only disk cache hits are kept in memory, which means
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an object must first be cached on disk and then hit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a second time before cached in memory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# network Only objects fetched from network is kept in memory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Keep the most recently fetched objects in memory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: memory_replacement_policy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The memory replacement policy parameter determines which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# objects are purged from memory when memory space is needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See cache_replacement_policy for details on algorithms.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# memory_replacement_policy lru
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DISK CACHE OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_replacement_policy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The cache replacement policy parameter determines which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# objects are evicted (replaced) when disk space is needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lru : Squid's original list based LRU policy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# heap GDSF : Greedy-Dual Size Frequency
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# heap LFUDA: Least Frequently Used with Dynamic Aging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# heap LRU : LRU policy implemented using a heap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Applies to any cache_dir lines listed below this directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The LRU policies keeps recently referenced objects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The heap GDSF policy optimizes object hit rate by keeping smaller
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# popular objects in cache so it has a better chance of getting a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hit. It achieves a lower byte hit rate than LFUDA though since
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it evicts larger (possibly popular) objects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The heap LFUDA policy keeps popular objects in cache regardless of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their size and thus optimizes byte hit rate at the expense of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hit rate since one large, popular object will prevent many
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smaller, slightly less popular objects from being cached.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Both policies utilize a dynamic aging mechanism that prevents
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache pollution that can otherwise occur with frequency-based
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replacement policies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: if using the LFUDA replacement policy you should increase
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the value of maximum_object_size above its default of 4 MB to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to maximize the potential byte hit rate improvement of LFUDA.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For more information about the GDSF and LFUDA cache replacement
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_replacement_policy lru
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cache_replacement_policy heap LFUDA
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: minimum_object_size (bytes)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Objects smaller than this size will NOT be saved on disk. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value is specified in bytes, and the default is 0 KB, which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# means all responses can be stored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: maximum_object_size (bytes)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set the default value for max-size parameter on any cache_dir.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The value is specified in bytes, and the default is 4 MB.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you wish to get a high BYTES hit ratio, you should probably
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# increase this (one 32 MB object hit counts for 3200 10KB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hits).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you wish to increase hit ratio more than you want to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# save bandwidth you should leave this low.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: if using the LFUDA replacement policy you should increase
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this value to maximize the byte hit rate improvement of LFUDA!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See cache_replacement_policy for a discussion of this policy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maximum_object_size 4 MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+maximum_object_size 64 MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Format:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir Type Directory-Name Fs-specific-data [options]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can specify multiple cache_dir lines to spread the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache among different disk partitions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Type specifies the kind of storage system to use. Only "ufs"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is built by default. To enable any of the other storage systems
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# see the --enable-storeio configure option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'Directory' is a top-level directory where cache swap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# files will be stored. If you want to use an entire disk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for caching, this can be the mount-point directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The directory must exist and be writable by the Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# process. Squid will NOT create this directory for you.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In SMP configurations, cache_dir must not precede the workers option
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and should use configuration macros or conditionals to give each
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# worker interested in disk caching a dedicated cache directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== The ufs store type ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "ufs" is the old well-known Squid storage format that has always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# been there.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir ufs Directory-Name Mbytes L1 L2 [options]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'Mbytes' is the amount of disk space (MB) to use under this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directory. The default is 100 MB. Change this to suit your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration. Do NOT put the size of your disk drive here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Instead, if you want Squid to use the entire disk drive,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# subtract 20% and use that value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'L1' is the number of first-level subdirectories which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be created under the 'Directory'. The default is 16.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'L2' is the number of second-level subdirectories which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be created under each first-level directory. The default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is 256.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== The aufs store type ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "aufs" uses the same storage format as "ufs", utilizing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# POSIX-threads to avoid blocking the main Squid process on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disk-I/O. This was formerly known in Squid as async-io.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir aufs Directory-Name Mbytes L1 L2 [options]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# see argument descriptions under ufs above
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== The diskd store type ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "diskd" uses the same storage format as "ufs", utilizing a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# separate process to avoid blocking the main Squid process on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disk-I/O.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# see argument descriptions under ufs above
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Q1 specifies the number of unacknowledged I/O requests when Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# stops opening new files. If this many messages are in the queues,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid won't open new files. Default is 64
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Q2 specifies the number of unacknowledged messages when Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# starts blocking. If this many messages are in the queues,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid blocks until it receives some replies. Default is 72
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When Q1 < Q2 (the default), the cache directory is optimized
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for lower response time at the expense of a decrease in hit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ratio. If Q1 > Q2, the cache directory is optimized for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# higher hit ratio at the expense of an increase in response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== The rock store type ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir rock Directory-Name Mbytes [options]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The Rock Store type is a database-style storage. All cached
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# entries are stored in a "database" file, using fixed-size slots.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A single entry occupies one or more slots.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If possible, Squid using Rock Store creates a dedicated kid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# process called "disker" to avoid blocking Squid worker(s) on disk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# I/O. One disker kid is created for each rock cache_dir. Diskers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are created only when Squid, running in daemon mode, has support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for the IpcIo disk I/O module.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# swap-timeout=msec: Squid will not start writing a miss to or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reading a hit from disk if it estimates that the swap operation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will take more than the specified number of milliseconds. By
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default and when set to zero, disables the disk I/O time limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enforcement. Ignored when using blocking I/O module because
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# blocking synchronous I/O does not allow Squid to estimate the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expected swap wait time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max-swap-rate=swaps/sec: Artificially limits disk access using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the specified I/O rate limit. Swap out requests that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# would cause the average I/O rate to exceed the limit are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delayed. Individual swap in requests (i.e., hits or reads) are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not delayed, but they do contribute to measured swap rate and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# since they are placed in the same FIFO queue as swap out
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests, they may wait longer if max-swap-rate is smaller.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is necessary on file systems that buffer "too
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# many" writes and then start blocking Squid and other processes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# while committing those writes to disk. Usually used together
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with swap-timeout to avoid excessive delays and queue overflows
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when disk demand exceeds available disk "bandwidth". By default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and when set to zero, disables the disk I/O rate limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enforcement. Currently supported by IpcIo module only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# slot-size=bytes: The size of a database "record" used for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# storing cached responses. A cached response occupies at least
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# one slot and all database I/O is done using individual slots so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# increasing this parameter leads to more disk space waste while
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# decreasing it leads to more disk I/O overheads. Should be a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# multiple of your operating system I/O page size. Defaults to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 16KBytes. A housekeeping header is stored with each slot and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# smaller slot-sizes will be rejected. The header is smaller than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 100 bytes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== COMMON OPTIONS ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no-store no new objects should be stored to this cache_dir.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# min-size=n the minimum object size in bytes this cache_dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will accept. It's used to restrict a cache_dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to only store large objects (e.g. AUFS) while
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# other stores are optimized for smaller objects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (e.g. Rock).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Defaults to 0.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max-size=n the maximum object size in bytes this cache_dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supports.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The value in maximum_object_size directive sets
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the default unless more specific details are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# available (ie a small store capacity).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: To make optimal use of the max-size limits you should order
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the cache_dir lines with the smallest max-size value first.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No disk cache. Store cache ojects only in memory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Uncomment and adjust the following to add a disk cache directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#cache_dir ufs @PREFIX@/var/squid/cache 100 16 256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: store_dir_select_algorithm
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How Squid selects which cache_dir to use when the response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# object will fit into more than one.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Regardless of which algorithm is used the cache_dir min-size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and max-size parameters are obeyed. As such they can affect
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the selection algorithm by limiting the set of considered
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Algorithms:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# least-load
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This algorithm is suited to caches with similar cache_dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sizes and disk speeds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The disk with the least I/O pending is selected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When there are multiple disks with the same I/O load ranking
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the cache_dir with most available capacity is selected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When a mix of cache_dir sizes are configured the faster disks
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have a naturally lower I/O loading and larger disks have more
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# capacity. So space used to store objects and data throughput
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may be very unbalanced towards larger disks.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# round-robin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This algorithm is suited to caches with unequal cache_dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disk sizes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each cache_dir is selected in a rotation. The next suitable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Available cache_dir capacity is only considered in relation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to whether the object will fit and meets the min-size and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max-size parameters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Disk I/O loading is only considered to prevent overload on slow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disks. This algorithm does not spread objects by size, so any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# I/O loading per-disk may appear very unbalanced and volatile.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If several cache_dirs use similar min-size, max-size, or other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limits to to reject certain responses, then do not group such
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir lines together, to avoid round-robin selection bias
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# towards the first cache_dir after the group. Instead, interleave
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir lines from different groups. For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_dir_select_algorithm round-robin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir rock /hdd1 ... min-size=100000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir rock /ssd1 ... max-size=99999
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir rock /hdd2 ... min-size=100000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir rock /ssd2 ... max-size=99999
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir rock /hdd3 ... min-size=100000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_dir rock /ssd3 ... max-size=99999
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_dir_select_algorithm least-load
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: max_open_disk_fds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To avoid having disk as the I/O bottleneck Squid can optionally
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bypass the on-disk cache if more than this amount of disk file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# descriptors are open.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A value of 0 indicates no limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_swap_low (percent, 0-100)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The low-water mark for AUFS/UFS/diskd cache object eviction by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the cache_replacement_policy algorithm.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Removal begins when the swap (disk) usage of a cache_dir is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# above this low-water mark and attempts to maintain utilization
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# near the low-water mark.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# As swap utilization increases towards the high-water mark set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by cache_swap_high object eviction becomes more agressive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The value difference in percentages between low- and high-water
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# marks represent an eviction rate of 300 objects per second and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the rate continues to scale in agressiveness by multiples of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this above the high-water mark.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Defaults are 90% and 95%. If you have a large cache, 5% could be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hundreds of MB. If this is the case you may wish to set these
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# numbers closer together.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also cache_swap_high and cache_replacement_policy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_swap_low 90
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_swap_high (percent, 0-100)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The high-water mark for AUFS/UFS/diskd cache object eviction by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the cache_replacement_policy algorithm.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Removal begins when the swap (disk) usage of a cache_dir is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# above the low-water mark set by cache_swap_low and attempts to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maintain utilization near the low-water mark.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# As swap utilization increases towards this high-water mark object
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# eviction becomes more agressive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The value difference in percentages between low- and high-water
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# marks represent an eviction rate of 300 objects per second and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the rate continues to scale in agressiveness by multiples of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this above the high-water mark.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Defaults are 90% and 95%. If you have a large cache, 5% could be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hundreds of MB. If this is the case you may wish to set these
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# numbers closer together.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also cache_swap_low and cache_replacement_policy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_swap_high 95
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# LOGFILE OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: logformat
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logformat <name> <format specification>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Defines an access log format.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The <format specification> is a string with embedded % format codes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# % format codes all follow the same basic structure where all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# components but the formatcode are optional and usually unnecessary,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# especially when dealing with common codes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# % [encoding] [-] [[0]width] [{arg}] formatcode [{arg}]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# encoding escapes or otherwise protects "special" characters:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# " Quoted string encoding where quote(") and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# backslash(\) characters are \-escaped while
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CR, LF, and TAB characters are encoded as \r,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# \n, and \t two-character sequences.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [ Custom Squid encoding where percent(%), square
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# brackets([]), backslash(\) and characters with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# codes outside of [32,126] range are %-encoded.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SP is not encoded. Used by log_mime_hdrs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # URL encoding (a.k.a. percent-encoding) where
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# all URL unsafe and control characters (per RFC
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1738) are %-encoded.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# / Shell-like encoding where quote(") and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# backslash(\) characters are \-escaped while CR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and LF characters are encoded as \r and \n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# two-character sequences. Values containing SP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# character(s) are surrounded by quotes(").
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ' Raw/as-is encoding with no escaping/quoting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default encoding: When no explicit encoding is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specified, each %code determines its own encoding.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Most %codes use raw/as-is encoding, but some codes use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a so called "pass-through URL encoding" where all URL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# unsafe and control characters (per RFC 1738) are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %-encoded, but the percent character(%) is left as is.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - left aligned
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# width minimum and/or maximum field width:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [width_min][.width_max]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When minimum starts with 0, the field is zero-padded.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# String values exceeding maximum width are truncated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# {arg} argument such as header name etc. This field may be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# placed before or after the token, but not both at once.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Format codes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# % a literal % character
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sn Unique sequence number per log line entry
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# err_code The ID of an error response served by Squid or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a similar internal error identifier.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# err_detail Additional err_code-dependent error information.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# note The annotation specified by the argument. Also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logs the adaptation meta headers set by the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_meta configuration parameter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If no argument given all annotations logged.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The argument may include a separator to use with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# annotation values:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# name[:separator]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, multiple note values are separated with ","
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and multiple notes are separated with "\r\n".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When logging named notes with %{name}note, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# explicitly configured separator is used between note
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# values. When logging all notes with %note, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# explicitly configured separator is used between
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# individual notes. There is currently no way to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specify both value and notes separators when logging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# all notes with %note.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Connection related format codes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# >a Client source IP address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# >A Client FQDN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# >p Client source port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# >eui Client source EUI (MAC address, EUI-48 or EUI-64 identifier)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# >la Local IP address the client connected to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# >lp Local port number the client connected to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# >qos Client connection TOS/DSCP value set by Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# >nfmark Client connection netfilter mark set by Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# la Local listening IP address the client connection was connected to.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lp Local listening port number the client connection was connected to.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <a Server IP address of the last server or peer connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <A Server FQDN or peer name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <p Server port number of the last server or peer connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <la Local IP address of the last server or peer connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <lp Local port number of the last server or peer connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <qos Server connection TOS/DSCP value set by Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <nfmark Server connection netfilter mark set by Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# >handshake Raw client handshake
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Initial client bytes received by Squid on a newly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accepted TCP connection or inside a just established
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CONNECT tunnel. Squid stops accumulating handshake
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bytes as soon as the handshake parser succeeds or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fails (determining whether the client is using the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expected protocol).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For HTTP clients, the handshake is the request line.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For TLS clients, the handshake consists of all TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# records up to and including the TLS record that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# contains the last byte of the first ClientHello
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# message. For clients using an unsupported protocol,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this field contains the bytes received by Squid at the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# time of the handshake parsing failure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the on_unsupported_protocol directive for more
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# information on Squid handshake traffic expectations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Current support is limited to these contexts:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - http_port connections, but only when the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on_unsupported_protocol directive is in use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - https_port connections (and CONNECT tunnels) that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are subject to the ssl_bump peek or stare action.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To protect binary handshake data, this field is always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# base64-encoded (RFC 4648 Section 4). If logformat
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# field encoding is configured, that encoding is applied
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on top of base64. Otherwise, the computed base64 value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is recorded as is.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time related format codes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ts Seconds since epoch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tu subsecond time (milliseconds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tl Local time. Optional strftime format argument
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default %d/%b/%Y:%H:%M:%S %z
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tg GMT time. Optional strftime format argument
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default %d/%b/%Y:%H:%M:%S %z
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tr Response time (milliseconds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dt Total time spent making DNS lookups (milliseconds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tS Approximate master transaction start time in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <full seconds since epoch>.<fractional seconds> format.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Currently, Squid considers the master transaction
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# started when a complete HTTP request header initiating
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the transaction is received from the client. This is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the same value that Squid uses to calculate transaction
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# response time when logging %tr to access.log. Currently,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid uses millisecond resolution for %tS values,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# similar to the default access.log "current time" field
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (%ts.%03tu).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Access Control related format codes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# et Tag returned by external acl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ea Log string returned by external acl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# un User name (any available)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ul User name from authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ue User name from external acl helper
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ui User name from ident
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# un A user name. Expands to the first available name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from the following list of information sources:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - authenticated user name, like %ul
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - user name supplied by an external ACL, like %ue
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - SSL client name, like %us
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - ident user name, like %ui
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# credentials Client credentials. The exact meaning depends on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the authentication scheme: For Basic authentication,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it is the password; for Digest, the realm sent by the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client; for NTLM and Negotiate, the client challenge
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or client credentials prefixed with "YR " or "KK ".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP related format codes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# REQUEST
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]rm Request method (GET/POST etc)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]>rm Request method from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<rm Request method sent to server or peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]ru Request URL received (or computed) and sanitized
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Logs request URI received from the client, a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request adaptation service, or a request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redirector (whichever was applied last).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Computed URLs are URIs of internally generated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests and various "error:..." URIs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Honors strip_query_terms and uri_whitespace.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This field is not encoded by default. Encoding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this field using variants of %-encoding will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clash with uri_whitespace modifications that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# also use %-encoding.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]>ru Request URL received from the client (or computed)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Computed URLs are URIs of internally generated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests and various "error:..." URIs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unlike %ru, this request URI is not affected
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by request adaptation, URL rewriting services,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and strip_query_terms.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Honors uri_whitespace.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This field is using pass-through URL encoding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by default. Encoding this field using other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# variants of %-encoding will clash with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uri_whitespace modifications that also use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %-encoding.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<ru Request URL sent to server or peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]>rs Request URL scheme from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<rs Request URL scheme sent to server or peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]>rd Request URL domain from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<rd Request URL domain sent to server or peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]>rP Request URL port from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<rP Request URL port sent to server or peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]rp Request URL path excluding hostname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]>rp Request URL path excluding hostname from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<rp Request URL path excluding hostname sent to server or peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]rv Request protocol version
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]>rv Request protocol version from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<rv Request protocol version sent to server or peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]>h Original received request header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usually differs from the request header sent by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid, although most fields are often preserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Accepts optional header field name/value filter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# argument using name[:[separator]element] format.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]>ha Received request header after adaptation and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redirection (pre-cache REQMOD vectoring point).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usually differs from the request header sent by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid, although most fields are often preserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Optional header name argument as for >h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RESPONSE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<Hs HTTP status code received from the next hop
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]>Hs HTTP status code sent to the client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<h Reply header. Optional header name argument
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as for >h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]mt MIME content type
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SIZE COUNTERS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]st Total size of request + reply traffic with client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]>st Total size of request received from client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Excluding chunked encoding bytes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<st Total size of reply sent to client (after adaptation)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]>sh Size of request headers received from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<sh Size of reply headers sent to client (after adaptation)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<sH Reply high offset sent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<sS Upstream object size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<bs Number of HTTP-equivalent message body bytes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# received from the next hop, excluding chunked
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transfer encoding and control messages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Generated FTP/Gopher listings are treated as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# received bodies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TIMING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<pt Peer response time in milliseconds. The timer starts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when the last request byte is sent to the next hop
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and stops when the last response byte is received.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [http::]<tt Total time in milliseconds. The timer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# starts with the first connect request (or write I/O)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sent to the first selected peer. The timer stops
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with the last I/O with the last peer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid handling related format codes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Ss Squid request status (TCP_MISS etc)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sh Squid hierarchy status (DEFAULT_PARENT etc)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL-related format codes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl::bump_mode SslBump decision for the transaction:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For CONNECT requests that initiated bumping of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a connection and for any request received on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an already bumped connection, Squid logs the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# corresponding SslBump mode ("splice", "bump",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "peek", "stare", "terminate", "server-first"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or "client-first"). See the ssl_bump option
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for more information about these modes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A "none" token is logged for requests that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# triggered "ssl_bump" ACL evaluation matching
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a "none" rule.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In all other cases, a single dash ("-") is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logged.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl::>sni SSL client SNI sent to Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl::>cert_subject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The Subject field of the received client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL certificate or a dash ('-') if Squid has
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# received an invalid/malformed certificate or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no certificate at all. Consider encoding the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logged value because Subject often has spaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl::>cert_issuer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The Issuer field of the received client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSL certificate or a dash ('-') if Squid has
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# received an invalid/malformed certificate or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no certificate at all. Consider encoding the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logged value because Issuer often has spaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl::<cert_subject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The Subject field of the received server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TLS certificate or a dash ('-') if this is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not available. Consider encoding the logged
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value because Subject often has spaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl::<cert_issuer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The Issuer field of the received server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TLS certificate or a dash ('-') if this is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not available. Consider encoding the logged
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value because Issuer often has spaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl::<cert_errors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The list of certificate validation errors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# detected by Squid (including OpenSSL and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate validation helper components). The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# errors are listed in the discovery order. By
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default, the error codes are separated by ':'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Accepts an optional separator argument.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %ssl::>negotiated_version The negotiated TLS version of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %ssl::<negotiated_version The negotiated TLS version of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# last server or peer connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %ssl::>received_hello_version The TLS version of the Hello
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# message received from TLS client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %ssl::<received_hello_version The TLS version of the Hello
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# message received from TLS server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %ssl::>received_supported_version The maximum TLS version
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supported by the TLS client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %ssl::<received_supported_version The maximum TLS version
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supported by the TLS server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %ssl::>negotiated_cipher The negotiated cipher of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %ssl::<negotiated_cipher The negotiated cipher of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# last server or peer connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If ICAP is enabled, the following code becomes available (as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# well as ICAP log codes documented with the icap_log option):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::tt Total ICAP processing time for the HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction. The timer ticks when ICAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ACLs are checked and when ICAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction is in progress.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If adaptation is enabled the following codes become available:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adapt::<last_h The header of the last ICAP response or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# meta-information from the last eCAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction related to the HTTP transaction.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Like <h, accepts an optional header name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# argument.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adapt::sum_trs Summed adaptation transaction response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# times recorded as a comma-separated list in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the order of transaction start time. Each time
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value is recorded as an integer number,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# representing response time of one or more
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation (ICAP or eCAP) transaction in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# milliseconds. When a failed transaction is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# being retried or repeated, its time is not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logged individually but added to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replacement (next) transaction. See also:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adapt::all_trs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adapt::all_trs All adaptation transaction response times.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Same as adaptation_strs but response times of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# individual transactions are never added
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# together. Instead, all transaction response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# times are recorded individually.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can prefix adapt::*_trs format codes with adaptation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service name in curly braces to record response time(s) specific
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to that service. For example: %{my_service}adapt::sum_trs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default formats available (which do not need re-defining) are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#logformat referrer %ts.%03tu %>a %{Referer}>h %ru
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#logformat useragent %>a [%tl] "%{User-Agent}>h"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: When the log_mime_hdrs directive is set to ON.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The squid, common and combined formats have a safely encoded copy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the mime headers appended to each line within a pair of brackets.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: The common and combined formats are not quite true to the Apache definition.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The logs from Squid contain an extra status and hierarchy code appended.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The format definitions squid, common, combined, referrer, useragent are built in.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: access_log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Configures whether and how Squid logs HTTP and ICP transactions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If access logging is enabled, a single line is logged for every
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matching HTTP or ICP request. The recommended directive formats are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access_log <module>:<place> [option ...] [acl acl ...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access_log none [acl acl ...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following directive format is accepted but may be deprecated:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access_log <module>:<place> [<logformat name> [acl acl ...]]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In most cases, the first ACL name must not contain the '=' character
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and should not be equal to an existing logformat name. You can always
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# start with an 'all' ACL to work around those restrictions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Will log to the specified module:place using the specified format (which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# must be defined in a logformat directive) those entries which match
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ALL the acl's specified (which must be defined in acl clauses).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If no acl is specified, all requests will be logged to this destination.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ===== Available options for the recommended directive format =====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logformat=name Names log line format (either built-in or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# defined by a logformat directive). Defaults
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to 'squid'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# buffer-size=64KB Defines approximate buffering limit for log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# records (see buffered_logs). Squid should not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# keep more than the specified size and, hence,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# should flush records before the buffer becomes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# full to avoid overflows under normal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# conditions (the exact flushing algorithm is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# module-dependent though). The on-error option
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# controls overflow handling.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on-error=die|drop Defines action on unrecoverable errors. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'drop' action ignores (i.e., does not log)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# affected log records. The default 'die' action
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kills the affected worker. The drop action
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# support has not been tested for modules other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# than tcp.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rotate=N Specifies the number of log file rotations to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# make when you run 'squid -k rotate'. The default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is to obey the logfile_rotate directive. Setting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rotate=0 will disable the file name rotation,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but the log files are still closed and re-opened.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This will enable you to rename the logfiles
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# yourself just before sending the rotate signal.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only supported by the stdio module.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ===== Modules Currently available =====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none Do not log any requests matching these ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not specify Place or logformat name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# stdio Write each log line to disk immediately at the completion of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# each request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Place: the filename and path to be written.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# daemon Very similar to stdio. But instead of writing to disk the log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# line is passed to a daemon helper for asychronous handling instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Place: varies depending on the daemon.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# log_file_daemon Place: the file name and path to be written.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# syslog To log each request via syslog facility.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Place: The syslog facility and priority level for these entries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Place Format: facility.priority
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# where facility could be any of:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authpriv, daemon, local0 ... local7 or user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# And priority could be any of:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# err, warning, notice, info, debug.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# udp To send each log line as text data to a UDP receiver.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Place: The destination host name or IP and port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Place Format: //host:port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tcp To send each log line as text data to a TCP receiver.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Lines may be accumulated before sending (see buffered_logs).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Place: The destination host name or IP and port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Place Format: //host:port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access_log daemon:@PREFIX@/var/squid/logs/access.log squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+access_log daemon:@PREFIX@/var/squid/logs/access.log squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#access_log daemon:@PREFIX@/var/squid/logs/access.log squid_ua
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP log files record ICAP transaction summaries, one line per
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The icap_log option format is:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_log <filepath> [<logformat name> [acl acl ...]]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_log none [acl acl ...]]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Please see access_log option documentation for details. The two
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kinds of logs share the overall configuration approach and many
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# features.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP processing of a single HTTP message or transaction may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# require multiple ICAP transactions. In such cases, multiple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP transaction log lines will correspond to a single access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# log line.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP log supports many access.log logformat %codes. In ICAP context,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP message-related %codes are applied to the HTTP message embedded
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in an ICAP message. Logformat "%http::>..." codes are used for HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# messages embedded in ICAP requests while "%http::<..." codes are used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for HTTP messages embedded in ICAP responses. For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http::>h To-be-adapted HTTP message headers sent by Squid to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the ICAP service. For REQMOD transactions, these are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP request headers. For RESPMOD, these are HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# response headers, but Squid currently cannot log them
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (i.e., %http::>h will expand to "-" for RESPMOD).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http::<h Adapted HTTP message headers sent by the ICAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service to Squid (i.e., HTTP request headers in regular
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# REQMOD; HTTP response headers in RESPMOD and during
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request satisfaction in REQMOD).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP OPTIONS transactions do not embed HTTP messages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Several logformat codes below deal with ICAP message bodies. An ICAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# message body, if any, typically includes a complete HTTP message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (required HTTP headers plus optional HTTP message body). When
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# computing HTTP message body size for these logformat codes, Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# either includes or excludes chunked encoding overheads; see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# code-specific documentation for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For Secure ICAP services, all size-related information is currently
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# computed before/after TLS encryption/decryption, as if TLS was not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in use at all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following format codes are also available for ICAP logs:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::<A ICAP server IP address. Similar to <A.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::<service_name ICAP service name from the icap_service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option in Squid configuration file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::ru ICAP Request-URI. Similar to ru.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::rm ICAP request method (REQMOD, RESPMOD, or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS). Similar to existing rm.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::>st The total size of the ICAP request sent to the ICAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server (ICAP headers + ICAP body), including chunking
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# metadata (if any).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::<st The total size of the ICAP response received from the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP server (ICAP headers + ICAP body), including
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# chunking metadata (if any).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::<bs The size of the ICAP response body received from the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP server, excluding chunking metadata (if any).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::tr Transaction response time (in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# milliseconds). The timer starts when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the ICAP transaction is created and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# stops when the transaction is completed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Similar to tr.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::tio Transaction I/O time (in milliseconds). The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# timer starts when the first ICAP request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# byte is scheduled for sending. The timers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# stops when the last byte of the ICAP response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is received.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::to Transaction outcome: ICAP_ERR* for all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction errors, ICAP_OPT for OPTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transactions, ICAP_ECHO for 204
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# responses, ICAP_MOD for message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modification, and ICAP_SAT for request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# satisfaction. Similar to Ss.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::Hs ICAP response status code. Similar to Hs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::>h ICAP request header(s). Similar to >h.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap::<h ICAP response header(s). Similar to <h.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default ICAP log format, which can be used without an explicit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# definition, is called icap_squid:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#logformat icap_squid %ts.%03tu %6icap::tr %>A %icap::to/%03icap::Hs %icap::<st %icap::rm %icap::ru %un -/%icap::<A -
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: logformat and %adapt::<last_h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: logfile_daemon
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the path to the logfile-writing daemon. This daemon is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used to write the access and store logs, if configured.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid sends a number of commands to the log daemon:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# L<data>\n - logfile data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# R\n - rotate file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# T\n - truncate file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# O\n - reopen file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# F\n - flush file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# r<n>\n - set rotate count to <n>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# b<n>\n - 1 = buffer output, 0 = don't buffer output
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No responses is expected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logfile_daemon @PREFIX@/libexec/squid/log_file_daemon
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: stats_collection allow|deny acl acl...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This options allows you to control which requests gets accounted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in performance counters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow logging for all transactions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_store_log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Logs the activities of the storage manager. Shows which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# objects are ejected from the cache, and which objects are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# saved and for how long.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There are not really utilities to analyze this data, so you can safely
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disable it (the default).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Store log uses modular logging outputs. See access_log for the list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of modules supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_store_log stdio:@PREFIX@/var/squid/logs/store.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_store_log daemon:@PREFIX@/var/squid/logs/store.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_swap_state
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Location for the cache "swap.state" file. This index file holds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the metadata of objects saved on disk. It is used to rebuild
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the cache during startup. Normally this file resides in each
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'cache_dir' directory, but you may specify an alternate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pathname here. Note you must give a full filename, not just
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a directory. Since this is the index for the whole object
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# list you CANNOT periodically rotate it!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If %s can be used in the file name it will be replaced with a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a representation of the cache_dir name where each / is replaced
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with '.'. This is needed to allow adding/removing cache_dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lines when cache_swap_log is being used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If have more than one 'cache_dir', and %s is not used in the name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# these swap logs will have names such as:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_swap_log.00
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_swap_log.01
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_swap_log.02
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The numbered extension (which is added automatically)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# corresponds to the order of the 'cache_dir' lines in this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration file. If you change the order of the 'cache_dir'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lines in this file, these index files will NOT correspond to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the correct 'cache_dir' entry (unless you manually rename
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# them). We recommend you do NOT use this option. It is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# better to keep these index files in each 'cache_dir' directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Store the journal inside its cache_dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: logfile_rotate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies the default number of logfile rotations to make when you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# type 'squid -k rotate'. The default is 10, which will rotate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with extensions 0 through 9. Setting logfile_rotate to 0 will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disable the file name rotation, but the logfiles are still closed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and re-opened. This will enable you to rename the logfiles
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# yourself just before sending the rotate signal.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note, from Squid-3.1 this option is only a default for cache.log,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that log can be rotated separately by using debug_options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note, from Squid-4 this option is only a default for access.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# recorded by stdio: module. Those logs can be rotated separately by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using the rotate=N option on their access_log directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note, the 'squid -k rotate' command normally sends a USR1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# signal to the running squid process. In certain situations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (e.g. on Linux with Async I/O), USR1 is used for other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# purposes, so -k rotate uses another signal. It is best to get
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in the habit of using 'squid -k rotate' instead of 'kill -USR1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <pid>'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note, from Squid-3.1 this option is only a default for cache.log,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that log can be rotated separately by using debug_options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logfile_rotate 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+logfile_rotate 31
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: mime_table
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Path to Squid's icon configuration file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You shouldn't need to change this, but the default file contains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# examples and formatting information if you do.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mime_table @PREFIX@/etc/squid/mime.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: log_mime_hdrs on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The Cache can record both the request and the response MIME
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers for each HTTP transaction. The headers are encoded
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# safely and will appear as two bracketed fields at the end of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the access log (for either the native or httpd-emulated log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# formats). To enable this logging set log_mime_hdrs to 'on'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# log_mime_hdrs off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: pid_filename
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A filename to write the process-id to. To disable, enter "none".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pid_filename @PREFIX@/var/run/squid/squid.pid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: client_netmask
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A netmask for client addresses in logfiles and cachemgr output.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Change this to protect the privacy of your cache clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A netmask of 255.255.255.0 will log all IP's in that range with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the last digit set to '0'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log full client IP address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: strip_query_terms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, Squid strips query terms from requested URLs before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logging. This protects your user's privacy and reduces log size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When investigating HIT/MISS or other caching behaviour you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will need to disable this to see the full URL used by Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# strip_query_terms on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: buffered_logs on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether to write/send access_log records ASAP or accumulate them and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# then write/send them in larger chunks. Buffering may improve
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# performance because it decreases the number of I/Os. However,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# buffering increases the delay before log records become available to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the final recipient (e.g., a disk file or logging daemon) and,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hence, increases the risk of log records loss.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that even when buffered_logs are off, Squid may have to buffer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# records if it cannot write/send them immediately due to pending I/Os
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (e.g., the I/O writing the previous log record) or connectivity loss.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Currently honored by 'daemon' and 'tcp' access_log modules only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# buffered_logs off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+buffered_logs on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: netdb_filename
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-icmp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Where Squid stores it's netdb journal.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When enabled this journal preserves netdb state between restarts.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To disable, enter "none".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# netdb_filename stdio:@PREFIX@/var/squid/cache/netdb.state
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS FOR TROUBLESHOOTING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid administrative logging file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is where general information about Squid behavior goes. You can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# increase the amount of data logged to this file and how often it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rotated with "debug_options"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_log @PREFIX@/var/squid/logs/cache.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: debug_options
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Logging options are set as section,level where each source file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is assigned a unique section. Lower levels result in less
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# output, Full debugging (level 9) can result in a very large
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# log file, so be careful.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The magic word "ALL" sets debugging levels for all sections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is to run with "ALL,1" to record important warnings.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The rotate=N option can be used to keep more or less of these logs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# than would otherwise be kept by logfile_rotate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For most uses a single log should be enough to monitor current
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# events affecting Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log all critical and important messages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: coredump_dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default Squid leaves core files in the directory from where
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it was started. If you set 'coredump_dir' to a directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that exists, Squid will chdir() to that directory at startup
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and coredump files will be left there.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use the directory from where Squid was started.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Leave coredumps in the first cache dir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+coredump_dir @PREFIX@/var/squid/cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS FOR FTP GATEWAYING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ftp_user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want the anonymous login password to be more informative
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (and enable the use of picky FTP servers), set this to something
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reasonable for your domain, like wwwuser@somewhere.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The reason why this is domainless by default is the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request can be made on the behalf of a user in any domain,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# depending on how the cache is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some FTP server also validate the email address is valid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (for example perl.com).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ftp_user Squid@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ftp_passive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If your firewall does not allow Squid to use passive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections, turn off this option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use of ftp_epsv_all option requires this to be ON.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ftp_passive on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ftp_epsv_all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FTP Protocol extensions permit the use of a special "EPSV ALL" command.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NATs may be able to put the connection on a "fast path" through the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# translator, as the EPRT command will never be used and therefore,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# translation of the data portion of the segments will never be needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When a client only expects to do two-way FTP transfers this may be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# useful.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If squid finds that it must do a three-way FTP transfer after issuing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an EPSV ALL command, the FTP session will fail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you have any doubts about this option do not use it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid will nicely attempt all other connection methods.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requires ftp_passive to be ON (default) for any effect.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ftp_epsv_all off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ftp_epsv
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FTP Protocol extensions permit the use of a special "EPSV" command.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NATs may be able to put the connection on a "fast path" through the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# translator using EPSV, as the EPRT command will never be used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and therefore, translation of the data portion of the segments
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will never be needed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# EPSV is often required to interoperate with FTP servers on IPv6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# networks. On the other hand, it may break some IPv4 servers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, EPSV may try EPSV with any FTP server. To fine tune
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that decision, you may restrict EPSV to certain clients or servers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using ACLs:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ftp_epsv allow|deny al1 acl2 ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Disabling EPSV may cause problems with external NAT and IPv6.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only fast ACLs are supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requires ftp_passive to be ON (default) for any effect.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ftp_eprt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FTP Protocol extensions permit the use of a special "EPRT" command.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This extension provides a protocol neutral alternative to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IPv4-only PORT command. When supported it enables active FTP data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# channels over IPv6 and efficient NAT handling.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Turning this OFF will prevent EPRT being attempted and will skip
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# straight to using PORT for IPv4 servers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some devices are known to not handle this extension correctly and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may result in crashes. Devices which suport EPRT enough to fail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cleanly will result in Squid attempting PORT anyway. This directive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# should only be disabled when EPRT results in device failures.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Doing so will convert Squid back to the old behavior with all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the related problems with external NAT devices/layers and IPv4-only FTP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ftp_eprt on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ftp_sanitycheck
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For security and data integrity reasons Squid by default performs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sanity checks of the addresses of FTP data connections ensure the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# data connection is to the requested server. If you need to allow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FTP connections to servers using another IP address for the data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection turn this off.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ftp_sanitycheck on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ftp_telnet_protocol
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The FTP protocol is officially defined to use the telnet protocol
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as transport channel for the control connection. However, many
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# implementations are broken and does not respect this aspect of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the FTP protocol.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you have trouble accessing files with ASCII code 255 in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# path or similar problems involving this ASCII code you can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# try setting this directive to off. If that helps, report to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# operator of the FTP server in question that their FTP server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is broken and does not follow the FTP standard.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ftp_telnet_protocol on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: diskd_program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the location of the diskd executable.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note this is only useful if you have compiled in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# diskd as one of the store io modules.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# diskd_program @PREFIX@/libexec/squid/diskd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: unlinkd_program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the location of the executable for file deletion process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# unlinkd_program @PREFIX@/libexec/squid/unlinkd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: pinger_program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-icmp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the location of the executable for the pinger process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pinger_program @PREFIX@/libexec/squid/pinger
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: pinger_enable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-icmp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Control whether the pinger is active at run-time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enables turning ICMP pinger on and off with a simple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# squid -k reconfigure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pinger_enable on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS FOR URL REWRITING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: url_rewrite_program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the location of the executable URL rewriter to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Since they can perform almost any function there isn't one included.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For each requested URL, the rewriter will receive on line with the format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [channel-ID <SP>] URL [<SP> extras]<NL>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See url_rewrite_extras on how to send "extras" with optional values to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the helper.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# After processing the request the helper must reply using the following format:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [channel-ID <SP>] result [<SP> kv-pairs]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The result code can be:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OK status=30N url="..."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redirect the URL to the one supplied in 'url='.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'status=' is optional and contains the status code to send
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the client in Squids HTTP response. It must be one of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP redirect status codes: 301, 302, 303, 307, 308.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When no status is given Squid will use 302.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OK rewrite-url="..."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Rewrite the URL to the one supplied in 'rewrite-url='.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The new URL is fetched directly by Squid and returned to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the client as the response to its request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When neither of url= and rewrite-url= are sent Squid does
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not change the URL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ERR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not change the URL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# BH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An internal error occurred in the helper, preventing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a result being identified. The 'message=' key name is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reserved for delivering a log message.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In addition to the above kv-pairs Squid also understands the following
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# optional kv-pairs received from URL rewriters:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clt_conn_tag=TAG
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Associates a TAG with the client TCP connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The TAG is treated as a regular annotation but persists across
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# future requests on the client connection rather than just the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# current request. A helper may update the TAG during subsequent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests be returning a new kv-pair.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When using the concurrency= option the protocol is changed by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# introducing a query channel tag in front of the request/response.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The query channel tag is a number between 0 and concurrency-1.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This value must be echoed back unchanged to Squid as the first part
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the response relating to its request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: URL re-writing ability should be avoided whenever possible.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use the URL redirect form of response instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Re-write creates a difference in the state held by the client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and server. Possibly causing confusion when the server response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# contains snippets of its view state. Embeded URLs, response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and content Location headers, etc. are not re-written by this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# interface.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, a URL rewriter is not used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: url_rewrite_children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies the maximum number of redirector processes that Squid may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# spawn (numberofchildren) and several related options. Using too few of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# these helper processes (a.k.a. "helpers") creates request queues.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Using too many helpers wastes your system resources.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: numberofchildren [option]...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The startup= and idle= options allow some measure of skew in your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tuning.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# startup=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets a minimum of how many processes are to be spawned when Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# starts or reconfigures. When set to zero the first request will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cause spawning of the first child process to handle it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Starting too few will cause an initial slowdown in traffic as Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# attempts to simultaneously spawn enough processes to cope.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# idle=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets a minimum of how many processes Squid is to try and keep available
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# at all times. When traffic begins to rise above what the existing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# processes can handle this many more will be spawned up to the maximum
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configured. A minimum setting of 1 is required.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# concurrency=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The number of requests each redirector helper can handle in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parallel. Defaults to 0 which indicates the redirector
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is a old-style single threaded redirector.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When this directive is set to a value >= 1 then the protocol
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used to communicate with the helper is modified to include
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an ID in front of the request/response. The ID from the request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# must be echoed back with the response to that request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queue-size=N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets the maximum number of queued requests. A request is queued when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no existing child can accept it due to concurrency limit and no new
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# child can be started due to numberofchildren limit. The default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maximum is zero if url_rewrite_bypass is enabled and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2*numberofchildren otherwise. If the queued requests exceed queue size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and redirector_bypass configuration option is set, then redirector is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bypassed. Otherwise, Squid is allowed to temporarily exceed the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configured maximum, marking the affected helper as "overloaded". If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the helper overload lasts more than 3 minutes, the action prescribed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by the on-persistent-overload option applies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on-persistent-overload=action
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies Squid reaction to a new helper request arriving when the helper
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has been overloaded for more that 3 minutes already. The number of queued
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests determines whether the helper is overloaded (see the queue-size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Two actions are supported:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# die Squid worker quits. This is the default behavior.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ERR Squid treats the helper request as if it was
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# immediately submitted, and the helper immediately
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replied with an ERR response. This action has no effect
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the already queued and in-progress helper requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# url_rewrite_children 20 startup=0 idle=1 concurrency=0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: url_rewrite_host_header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To preserve same-origin security policies in browsers and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# prevent Host: header forgery by redirectors Squid rewrites
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# any Host: header in redirected requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you are running an accelerator this may not be a wanted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# effect of a redirector. This directive enables you disable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Host: alteration in reverse-proxy traffic.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Entries are cached on the result of the URL rewriting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# process, so be careful if you have domain-virtual hosts.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Squid and other software verifies the URL and Host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are matching, so be careful not to relay through other proxies
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or inspecting firewalls with this disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# url_rewrite_host_header on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: url_rewrite_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If defined, this access list specifies which requests are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sent to the redirector processes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause supports both fast and slow acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow, unless rules exist in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: url_rewrite_bypass
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When this is 'on', a request will not go through the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redirector if all the helpers are busy. If this is 'off' and the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redirector queue grows too large, the action is prescribed by the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on-persistent-overload option. You should only enable this if the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redirectors are not critical to your caching system. If you use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redirectors for access control, and you enable this option,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# users may have access to pages they should not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be allowed to request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enabling this option sets the default url_rewrite_children queue-size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option value to 0.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# url_rewrite_bypass off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: url_rewrite_extras
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies a string to be append to request line format for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rewriter helper. "Quoted" format values may contain spaces and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logformat %macros. In theory, any logformat %macro can be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In practice, a %macro expands as a dash (-) if the helper request is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sent before the required macro information is available to Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# url_rewrite_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: url_rewrite_timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid times active requests to redirector. The timeout value and Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reaction to a timed out request are configurable using the following
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# format:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# url_rewrite_timeout timeout time-units on_timeout=<action> [response=<quoted-response>]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supported timeout actions:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fail Squid return a ERR_GATEWAY_FAILURE error page
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bypass Do not re-write the URL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# retry Send the lookup to the helper again
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use_configured_response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use the <quoted-response> as helper response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid waits for the helper response forever
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS FOR STORE ID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: store_id_program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify the location of the executable StoreID helper to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Since they can perform almost any function there isn't one included.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For each requested URL, the helper will receive one line with the format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [channel-ID <SP>] URL [<SP> extras]<NL>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# After processing the request the helper must reply using the following format:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [channel-ID <SP>] result [<SP> kv-pairs]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The result code can be:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OK store-id="..."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use the StoreID supplied in 'store-id='.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ERR
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is to use HTTP request URL as the store ID.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# BH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An internal error occurred in the helper, preventing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a result being identified.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In addition to the above kv-pairs Squid also understands the following
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# optional kv-pairs received from URL rewriters:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# clt_conn_tag=TAG
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Associates a TAG with the client TCP connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Please see url_rewrite_program related documentation for this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# kv-pair
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Helper programs should be prepared to receive and possibly ignore
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# additional whitespace-separated tokens on each input line.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When using the concurrency= option the protocol is changed by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# introducing a query channel tag in front of the request/response.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The query channel tag is a number between 0 and concurrency-1.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This value must be echoed back unchanged to Squid as the first part
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the response relating to its request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: when using StoreID refresh_pattern will apply to the StoreID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# returned from the helper and not the URL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Wrong StoreID value returned by a careless helper may result
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in the wrong cached response returned to the user.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, a StoreID helper is not used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: store_id_extras
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies a string to be append to request line format for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# StoreId helper. "Quoted" format values may contain spaces and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logformat %macros. In theory, any logformat %macro can be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In practice, a %macro expands as a dash (-) if the helper request is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sent before the required macro information is available to Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_id_extras "%>a/%>A %un %>rm myip=%la myport=%lp"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: store_id_children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies the maximum number of StoreID helper processes that Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may spawn (numberofchildren) and several related options. Using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# too few of these helper processes (a.k.a. "helpers") creates request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queues. Using too many helpers wastes your system resources.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: numberofchildren [option]...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The startup= and idle= options allow some measure of skew in your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tuning.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# startup=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets a minimum of how many processes are to be spawned when Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# starts or reconfigures. When set to zero the first request will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cause spawning of the first child process to handle it.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Starting too few will cause an initial slowdown in traffic as Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# attempts to simultaneously spawn enough processes to cope.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# idle=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets a minimum of how many processes Squid is to try and keep available
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# at all times. When traffic begins to rise above what the existing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# processes can handle this many more will be spawned up to the maximum
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configured. A minimum setting of 1 is required.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# concurrency=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The number of requests each storeID helper can handle in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parallel. Defaults to 0 which indicates the helper
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is a old-style single threaded program.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When this directive is set to a value >= 1 then the protocol
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used to communicate with the helper is modified to include
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an ID in front of the request/response. The ID from the request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# must be echoed back with the response to that request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queue-size=N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets the maximum number of queued requests to N. A request is queued
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when no existing child can accept it due to concurrency limit and no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# new child can be started due to numberofchildren limit. The default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maximum is 2*numberofchildren. If the queued requests exceed queue
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# size and redirector_bypass configuration option is set, then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redirector is bypassed. Otherwise, Squid is allowed to temporarily
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# exceed the configured maximum, marking the affected helper as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "overloaded". If the helper overload lasts more than 3 minutes, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# action prescribed by the on-persistent-overload option applies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on-persistent-overload=action
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies Squid reaction to a new helper request arriving when the helper
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has been overloaded for more that 3 minutes already. The number of queued
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests determines whether the helper is overloaded (see the queue-size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Two actions are supported:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# die Squid worker quits. This is the default behavior.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ERR Squid treats the helper request as if it was
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# immediately submitted, and the helper immediately
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replied with an ERR response. This action has no effect
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the already queued and in-progress helper requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_id_children 20 startup=0 idle=1 concurrency=0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: store_id_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If defined, this access list specifies which requests are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sent to the StoreID processes. By default all requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are sent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause supports both fast and slow acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow, unless rules exist in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: store_id_bypass
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When this is 'on', a request will not go through the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# helper if all helpers are busy. If this is 'off' and the helper
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queue grows too large, the action is prescribed by the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on-persistent-overload option. You should only enable this if the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# helpers are not critical to your caching system. If you use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# helpers for critical caching components, and you enable this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option, users may not get objects from cache.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This options sets default queue-size option of the store_id_children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to 0.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_id_bypass on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS FOR TUNING THE CACHE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requests denied by this directive will not be served from the cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and their responses will not be stored in the cache. This directive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has no effect on other transactions and on already cached responses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause supports both fast and slow acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This and the two other similar caching directives listed below are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# checked at different transaction processing stages, have different
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access to response information, affect different cache operations,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and differ in slow ACLs support:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * cache: Checked before Squid makes a hit/miss determination.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No access to reply information!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Denies both serving a hit and storing a miss.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Supports both fast and slow ACLs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * send_hit: Checked after a hit was detected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Has access to reply (hit) information.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Denies serving a hit only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Supports fast ACLs only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * store_miss: Checked before storing a cachable miss.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Has access to reply (miss) information.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Denies storing a miss only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Supports fast ACLs only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you are not sure which of the three directives to use, apply the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# following decision logic:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * If your ACL(s) are of slow type _and_ need response info, redesign.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid does not support that particular combination at this time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Otherwise:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * If your directive ACL(s) are of slow type, use "cache"; and/or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * if your directive ACL(s) need no response info, use "cache".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Otherwise:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * If you do not want the response cached, use store_miss; and/or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * if you do not want a hit on a cached response, use send_hit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, this directive is unused and has no effect.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: send_hit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Responses denied by this directive will not be served from the cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (but may still be cached, see store_miss). This directive has no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# effect on the responses it allows and on the cached objects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Please see the "cache" directive for a summary of differences among
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_miss, send_hit, and cache directives.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unlike the "cache" directive, send_hit only supports fast acl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # apply custom Store ID mapping to some URLs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl MapMe dstdomain .c.example.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_id_program ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_id_access allow MapMe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # but prevent caching of special responses
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # such as 302 redirects that cause StoreID loops
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl Ordinary http_status 200-299
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_miss deny MapMe !Ordinary
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # and do not serve any previously stored special responses
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # from the cache (in case they were already cached before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # the above store_miss rule was in effect).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# send_hit deny MapMe !Ordinary
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, this directive is unused and has no effect.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: store_miss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Responses denied by this directive will not be cached (but may still
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be served from the cache, see send_hit). This directive has no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# effect on the responses it allows and on the already cached responses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Please see the "cache" directive for a summary of differences among
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_miss, send_hit, and cache directives. See the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# send_hit directive for a usage example.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Unlike the "cache" directive, store_miss only supports fast acl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, this directive is unused and has no effect.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: max_stale time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option puts an upper limit on how stale content Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will serve from the cache if cache validation fails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Can be overriden by the refresh_pattern max-stale option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max_stale 1 week
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: refresh_pattern
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# usage: refresh_pattern [-i] regex min percent max [options]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, regular expressions are CASE-SENSITIVE. To make
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# them case-insensitive, use the -i option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'Min' is the time (in minutes) an object without an explicit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expiry time should be considered fresh. The recommended
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value is 0, any higher values may cause dynamic applications
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to be erroneously cached unless the application designer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has taken the appropriate actions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'Percent' is a percentage of the objects age (time since last
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modification age) an object without explicit expiry time
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be considered fresh.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'Max' is an upper limit on how long objects without an explicit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expiry time will be considered fresh. The value is also used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to form Cache-Control: max-age header for a request sent from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid to origin/parent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# options: override-expire
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# override-lastmod
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reload-into-ims
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignore-reload
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignore-no-store
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignore-private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max-stale=NN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# refresh-ims
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store-stale
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# override-expire enforces min age even if the server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sent an explicit expiry time (e.g., with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Expires: header or Cache-Control: max-age). Doing this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# VIOLATES the HTTP standard. Enabling this feature
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# could make you liable for problems which it causes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: override-expire does not enforce staleness - it only extends
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# freshness / min. If the server returns a Expires time which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is longer than your max time, Squid will still consider
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the object fresh for that period of time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# override-lastmod enforces min age even on objects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that were modified recently.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reload-into-ims changes a client no-cache or ``reload''
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request for a cached entry into a conditional request using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If-Modified-Since and/or If-None-Match headers, provided the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cached entry has a Last-Modified and/or a strong ETag header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Doing this VIOLATES the HTTP standard. Enabling this feature
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# could make you liable for problems which it causes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignore-reload ignores a client no-cache or ``reload''
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# header. Doing this VIOLATES the HTTP standard. Enabling
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this feature could make you liable for problems which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it causes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignore-no-store ignores any ``Cache-control: no-store''
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers received from a server. Doing this VIOLATES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the HTTP standard. Enabling this feature could make you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# liable for problems which it causes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignore-private ignores any ``Cache-control: private''
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers received from a server. Doing this VIOLATES
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the HTTP standard. Enabling this feature could make you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# liable for problems which it causes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# refresh-ims causes squid to contact the origin server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when a client issues an If-Modified-Since request. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ensures that the client will receive an updated version
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if one is available.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store-stale stores responses even if they don't have explicit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# freshness or a validator (i.e., Last-Modified or an ETag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# present, or if they're already stale. By default, Squid will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not cache such responses because they usually can't be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reused. Note that such responses will be stale by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max-stale=NN provide a maximum staleness factor. Squid won't
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# serve objects more stale than this even if it failed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# validate the object. Default: use the max_stale global limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Basically a cached object is:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FRESH if expire > now, else STALE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# STALE if age > max
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FRESH if lm-factor < percent, else STALE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FRESH if age < min
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# else STALE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The refresh_pattern lines are checked in the order listed here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The first entry which matches is used. If none of the entries
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# match the default will be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note, you must uncomment all the default lines if you want
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to change one. The default setting is only active if none is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Add any of your own refresh_pattern entries above these.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+refresh_pattern ^ftp: 1440 20% 10080
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+refresh_pattern ^gopher: 1440 0% 1440
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#refresh_pattern . 0 20% 4320
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# https://www.linux.com/news/speed-your-internet-access-using-squids-refresh-patterns
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+refresh_pattern . 0 40% 40320
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: quick_abort_min (KB)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# quick_abort_min 16 KB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+quick_abort_min 0 KB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: quick_abort_max (KB)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# quick_abort_max 16 KB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+quick_abort_max 0 KB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: quick_abort_pct (percent)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The cache by default continues downloading aborted requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which are almost completed (less than 16 KB remaining). This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may be undesirable on slow (e.g. SLIP) links and/or very busy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# caches. Impatient users may tie up file descriptors and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bandwidth by repeatedly requesting and immediately aborting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# downloads.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When the user aborts a request, Squid will check the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# quick_abort values to the amount of data transferred until
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# then.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the transfer has less than 'quick_abort_min' KB remaining,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it will finish the retrieval.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the transfer has more than 'quick_abort_max' KB remaining,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it will abort the retrieval.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If more than 'quick_abort_pct' of the transfer has completed,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it will finish the retrieval.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you do not want any retrieval to continue after the client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has aborted, set both 'quick_abort_min' and 'quick_abort_max'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to '0 KB'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want retrievals to always continue if they are being
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cached set 'quick_abort_min' to '-1 KB'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# quick_abort_pct 95
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: read_ahead_gap buffer-size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The amount of data the cache will buffer ahead of what has been
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sent to the client when retrieving an object from another server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# read_ahead_gap 16 KB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: negative_ttl time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set the Default Time-to-Live (TTL) for failed requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Certain types of failures (such as "connection refused" and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "404 Not Found") are able to be negatively-cached for a short time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Modern web servers should provide Expires: header, however if they
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# do not this can provide a minimum TTL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is not to cache errors with unknown expiry details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that this is different from negative caching of DNS lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Doing this VIOLATES the HTTP standard. Enabling
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this feature could make you liable for problems which it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# causes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# negative_ttl 0 seconds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: positive_dns_ttl time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Upper limit on how long Squid will cache positive DNS responses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Default is 6 hours (360 minutes). This directive must be set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# larger than negative_dns_ttl.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# positive_dns_ttl 6 hours
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: negative_dns_ttl time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time-to-Live (TTL) for negative caching of failed DNS lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This also sets the lower cache limit on positive lookups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Minimum value is 1 second, and it is not recommendable to go
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# much below 10 seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# negative_dns_ttl 1 minutes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: range_offset_limit size [acl acl...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# usage: (size) [units] [[!]aclname]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sets an upper limit on how far (number of bytes) into the file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a Range request may be to cause Squid to prefetch the whole file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If beyond this limit, Squid forwards the Range request as it is and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the result is NOT cached.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is to stop a far ahead range request (lets say start at 17MB)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from making Squid fetch the whole object up to that point before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sending anything to the client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Multiple range_offset_limit lines may be specified, and they will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be searched from top to bottom on each request until a match is found.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The first match found will be used. If no line matches a request, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default limit of 0 bytes will be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'size' is the limit specified as a number of units.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'units' specifies whether to use bytes, KB, MB, etc.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If no units are specified bytes are assumed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A size of 0 causes Squid to never fetch more than the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client requested. (default)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A size of 'none' causes Squid to always fetch the object from the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# beginning so it may cache the result. (2.0 style)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'aclname' is the name of a defined ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NP: Using 'none' as the byte value here will override any quick_abort settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that may otherwise apply to the range request. The range request will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be fully fetched from start to finish regardless of the client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# actions. This affects bandwidth usage.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: minimum_expiry_time (seconds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The minimum caching time according to (Expires - Date)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers Squid honors if the object can't be revalidated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is 60 seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In reverse proxy environments it might be desirable to honor
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shorter object lifetimes. It is most likely better to make
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# your server return a meaningful Last-Modified header however.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In ESI environments where page fragments often have short
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lifetimes, this will often be best set to 0.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# minimum_expiry_time 60 seconds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: store_avg_object_size (bytes)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Average object size, used to estimate number of objects your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache can hold. The default is 13 KB.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is used to pre-seed the cache index memory allocation to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reduce expensive reallocate operations while handling clients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# traffic. Too-large values may result in memory allocation during
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# peak traffic, too-small values will result in wasted memory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Check the cache manager 'info' report metrics for the real
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# object sizes seen by your Squid before tuning this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_avg_object_size 13 KB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: store_objects_per_bucket
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Target number of objects per bucket in the store hash table.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Lowering this value increases the total number of buckets and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# also the storage maintenance rate. The default is 20.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_objects_per_bucket 20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: request_header_max_size (KB)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This specifies the maximum size for HTTP headers in a request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Request headers are usually relatively small (about 512 bytes).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Placing a limit on the request header size will catch certain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bugs (for example with persistent connections) and possibly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# buffer-overflow or denial-of-service attacks.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_max_size 64 KB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: reply_header_max_size (KB)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This specifies the maximum size for HTTP headers in a reply.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Reply headers are usually relatively small (about 512 bytes).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Placing a limit on the reply header size will catch certain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bugs (for example with persistent connections) and possibly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# buffer-overflow or denial-of-service attacks.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_max_size 64 KB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: request_body_max_size (bytes)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This specifies the maximum size for an HTTP request body.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In other words, the maximum size of a PUT/POST request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A user who attempts to send a request with a body larger
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# than this limit receives an "Invalid Request" error message.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you set this parameter to a zero (the default), there will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be no limit imposed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also client_request_buffer_max_size for an alternative
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limitation on client uploads which can be configured.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: client_request_buffer_max_size (bytes)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This specifies the maximum buffer size of a client request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It prevents squid eating too much memory when somebody uploads
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a large file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_request_buffer_max_size 512 KB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: broken_posts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A list of ACL elements which, if matched, causes Squid to send
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an extra CRLF pair after the body of a PUT/POST request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some HTTP servers has broken implementations of PUT/POST,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and rely on an extra CRLF pair sent by some WWW clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Quote from RFC2616 section 4.1 on this matter:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: certain buggy HTTP/1.0 client implementations generate an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# extra CRLF's after a POST request. To restate what is explicitly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forbidden by the BNF, an HTTP/1.1 client must not preface or follow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a request with an extra CRLF.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl buggy_server url_regex ^http://....
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# broken_posts allow buggy_server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Obey RFC 2616.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: adaptation_uses_indirect_client on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Controls whether the indirect client IP address (instead of the direct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client IP address) is passed to adaptation services.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: follow_x_forwarded_for adaptation_send_client_ip
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_uses_indirect_client on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: via on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set (default), Squid will include a Via header in requests and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replies as required by RFC2616.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# via on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+via off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: vary_ignore_expire on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Many HTTP servers supporting Vary gives such objects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# immediate expiry time with no cache-control header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when requested by a HTTP/1.0 client. This option
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enables Squid to ignore such expiry times until
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP/1.1 is fully implemented.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: If turned on this may eventually cause some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# varying objects not intended for caching to get cached.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vary_ignore_expire off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: request_entities
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid defaults to deny GET and HEAD requests with request entities,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as the meaning of such requests are undefined in the HTTP standard
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# even if not explicitly forbidden.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set this directive to on if you have clients which insists
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on sending request entities in GET or HEAD requests. But be warned
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that there is server software (both proxies and web servers) which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can fail to properly process this kind of request which may make you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vulnerable to cache pollution attacks if enabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_entities off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: request_header_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: request_header_access header_name allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Doing this VIOLATES the HTTP standard. Enabling
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this feature could make you liable for problems which it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# causes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option replaces the old 'anonymize_headers' and the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# older 'http_anonymizer' option with something that is much
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# more configurable. A list of ACLs for each header name allows
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# removal of specific header fields under specific conditions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option only applies to outgoing HTTP request headers (i.e.,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers sent by Squid to the next HTTP hop such as a cache peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or an origin server). The option has no effect during cache hit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# detection. The equivalent adaptation vectoring point in ICAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# terminology is post-cache REQMOD.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The option is applied to individual outgoing request header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fields. For each request header field F, Squid uses the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# qualifying sets of request_header_access rules:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1. Rules with header_name equal to F's name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2. Rules with header_name 'Other', provided F's name is not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the hard-coded list of commonly used HTTP header names.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3. Rules with header_name 'All'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Within that qualifying rule set, rule ACLs are checked as usual.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If ACLs of an "allow" rule match, the header field is allowed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# go through as is. If ACLs of a "deny" rule match, the header is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# removed and request_header_replace is then checked to identify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if the removed header has a replacement. If no rules within the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set have matching ACLs, the header field is left as is.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example, to achieve the same behavior as the old
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'http_anonymizer standard' option, you should use:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access From deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Referer deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access User-Agent deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Or, to reproduce the old 'http_anonymizer paranoid' feature
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you should use:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Authorization allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Proxy-Authorization allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Cache-Control allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Content-Length allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Content-Type allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Date allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Host allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access If-Modified-Since allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Pragma allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Accept allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Accept-Charset allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Accept-Encoding allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Accept-Language allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access Connection allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_header_access All deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP reply headers are controlled with the reply_header_access directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, all headers are allowed (no anonymizing is performed).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No limits.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow localnet headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access From allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Server allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Link allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Cache-Control allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-Cache allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-Cache-Lookup allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Via allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Forwarded-For allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-Forwarded-For allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Pragma allow localnet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# old 'http_anonymizer standard'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access From deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow privoxy configuration to see the referer, then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl privoxy-config dstdomain config.privoxy.org p.p
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Referer allow privoxy-config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cache deny privoxy-config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forge Referer in Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Referer deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Server deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forge User-Agent below and in Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# header_access User-Agent deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this breaks web authentication -- do not use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#! header_access WWW-Authenticate deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Link deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# more privacy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-Cache deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-Cache-Lookup deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Via deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Forwarded-For deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-Forwarded-For deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access Pragma deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#! These slow down browsing a lot -- do not use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# header_access Cache-Control deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# header_access Keep-Alive deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Mobile carrier uniquely identifying headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access MSISDN deny all # T-Mobile
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-MSISDN deny all # T-Mobile
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-UIDH deny all # Verizon
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access x-up-subno deny all # AT&T
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-ACR deny all # AT&T
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-UP-SUBSCRIBER-COS deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-OPWV-DDM-HTTPMISCDD deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-OPWV-DDM-IDENTITY deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-OPWV-DDM-SUBSCRIBER deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access CLIENTID deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X-VF-ACR deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X_MTI_USERNAME deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X_MTI_EMAIL deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access X_MTI_EMPID deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_access User-Agent deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_replace User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: reply_header_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: reply_header_access header_name allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Doing this VIOLATES the HTTP standard. Enabling
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this feature could make you liable for problems which it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# causes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option only applies to reply headers, i.e., from the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server to the client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the same as request_header_access, but in the other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# direction. Please see request_header_access for detailed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# documentation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example, to achieve the same behavior as the old
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'http_anonymizer standard' option, you should use:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Server deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access WWW-Authenticate deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Link deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Or, to reproduce the old 'http_anonymizer paranoid' feature
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you should use:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Allow allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access WWW-Authenticate allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Proxy-Authenticate allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Cache-Control allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Content-Encoding allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Content-Length allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Content-Type allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Date allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Expires allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Last-Modified allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Location allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Pragma allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Content-Language allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Retry-After allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Title allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Content-Disposition allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access Connection allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reply_header_access All deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP request headers are controlled with the request_header_access directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, all headers are allowed (no anonymizing is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# performed).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No limits.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: request_header_replace
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: request_header_replace header_name message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example: request_header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option allows you to change the contents of headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# denied with request_header_access above, by replacing them
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with some fixed string.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This only applies to request headers, not reply headers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, headers are removed if denied.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: reply_header_replace
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: reply_header_replace header_name message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example: reply_header_replace Server Foo/1.0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option allows you to change the contents of headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# denied with reply_header_access above, by replacing them
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with some fixed string.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This only applies to reply headers, not request headers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, headers are removed if denied.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: request_header_add
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: request_header_add field-name field-value [ acl ... ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example: request_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option adds header fields to outgoing HTTP requests (i.e.,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request headers sent by Squid to the next HTTP hop such as a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache peer or an origin server). The option has no effect during
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache hit detection. The equivalent adaptation vectoring point
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in ICAP terminology is post-cache REQMOD.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Field-name is a token specifying an HTTP header name. If a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# standard HTTP header name is used, Squid does not check whether
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the new header conflicts with any existing headers or violates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP rules. If the request to be modified already contains a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# field with the same name, the old field is preserved but the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# header field values are not merged.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Field-value is either a token or a quoted string. If quoted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# string format is used, then the surrounding quotes are removed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# while escape sequences and %macros are processed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# One or more Squid ACLs may be specified to restrict header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# injection to matching requests. As always in squid.conf, all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ACLs in the ACL list must be satisfied for the insertion to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happen. The request_header_add supports fast ACLs only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: reply_header_add.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: reply_header_add
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: reply_header_add field-name field-value [ acl ... ]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example: reply_header_add X-Client-CA "CA=%ssl::>cert_issuer" all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option adds header fields to outgoing HTTP responses (i.e., response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers delivered by Squid to the client). This option has no effect on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache hit detection. The equivalent adaptation vectoring point in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP terminology is post-cache RESPMOD. This option does not apply to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# successful CONNECT replies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Field-name is a token specifying an HTTP header name. If a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# standard HTTP header name is used, Squid does not check whether
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the new header conflicts with any existing headers or violates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP rules. If the response to be modified already contains a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# field with the same name, the old field is preserved but the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# header field values are not merged.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Field-value is either a token or a quoted string. If quoted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# string format is used, then the surrounding quotes are removed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# while escape sequences and %macros are processed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# One or more Squid ACLs may be specified to restrict header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# injection to matching responses. As always in squid.conf, all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ACLs in the ACL list must be satisfied for the insertion to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happen. The reply_header_add option supports fast ACLs only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: request_header_add.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: note
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option used to log custom information about the master
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction. For example, an admin may configure Squid to log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which "user group" the transaction belongs to, where "user group"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be determined based on a set of ACLs and not [just]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authentication information.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Values of key/value pairs can be logged using %{key}note macros:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# note key value acl ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logformat myFormat ... %{key}note ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: relaxed_header_parser on|off|warn
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In the default "on" setting Squid accepts certain forms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of non-compliant HTTP messages where it is unambiguous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# what the sending application intended even if the message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is not correctly formatted. The messages is then normalized
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to the correct form when forwarded by Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to "warn" then a warning will be emitted in cache.log
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# each time such HTTP error is encountered.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to "off" then such HTTP errors will cause the request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or response to be rejected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# relaxed_header_parser on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: collapsed_forwarding (on|off)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option controls whether Squid is allowed to merge multiple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# potentially cachable requests for the same URI before Squid knows
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# whether the response is going to be cachable.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When enabled, instead of forwarding each concurrent request for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the same URL, Squid just sends the first of them. The other, so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# called "collapsed" requests, wait for the response to the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request and, if it happens to be cachable, use that response.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Here, "concurrent requests" means "received after the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request headers were parsed and before the corresponding response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers were parsed".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This feature is disabled by default: enabling collapsed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forwarding needlessly delays forwarding requests that look
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cachable (when they are collapsed) but then need to be forwarded
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# individually anyway because they end up being for uncachable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# content. However, in some cases, such as acceleration of highly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cachable content with periodic or grouped expiration times, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gains from collapsing [large volumes of simultaneous refresh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests] outweigh losses from such delays.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid collapses two kinds of requests: regular client requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# received on one of the listening ports and internal "cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# revalidation" requests which are triggered by those regular
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests hitting a stale cached object. Revalidation collapsing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is currently disabled for Squid instances containing SMP-aware
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disk or memory caches and for Vary-controlled cached objects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# collapsed_forwarding off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: collapsed_forwarding_shared_entries_limit (number of entries)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This limits the size of a table used for sharing information
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# about collapsible entries among SMP workers. Limiting sharing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# too much results in cache content duplication and missed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# collapsing opportunities. Using excessively large values
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wastes shared memory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The limit should be significantly larger then the number of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# concurrent collapsible entries one wants to share. For a cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that handles less than 5000 concurrent requests, the default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# setting of 16384 should be plenty.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the limit is set to zero, it disables sharing of collapsed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forwarding between SMP workers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# collapsed_forwarding_shared_entries_limit 16384
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TIMEOUTS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: forward_timeout time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This parameter specifies how long Squid should at most attempt in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# finding a forwarding path for the request before giving up.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forward_timeout 4 minutes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: connect_timeout time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This parameter specifies how long to wait for the TCP connect to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the requested server or peer to complete before Squid should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# attempt to find another path where to forward the request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connect_timeout 1 minute
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: peer_connect_timeout time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This parameter specifies how long to wait for a pending TCP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection to a peer cache. The default is 30 seconds. You
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may also set different timeout values for individual neighbors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with the 'connect-timeout' option on a 'cache_peer' line.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# peer_connect_timeout 30 seconds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: read_timeout time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Applied on peer server connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# After each successful read(), the timeout will be extended by this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# amount. If no data is read again after this amount of time,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the request is aborted and logged with ERR_READ_TIMEOUT.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is 15 minutes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# read_timeout 15 minutes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: write_timeout time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This timeout is tracked for all connections that have data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# available for writing and are waiting for the socket to become
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ready. After each successful write, the timeout is extended by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the configured amount. If Squid has data to write but the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection is not ready for the configured duration, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction associated with the connection is terminated. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default is 15 minutes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# write_timeout 15 minutes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: request_timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How long to wait for complete HTTP request headers after initial
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection establishment.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_timeout 5 minutes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: request_start_timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How long to wait for the first request byte after initial
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection establishment.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_start_timeout 5 minutes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: client_idle_pconn_timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How long to wait for the next HTTP request on a persistent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client connection after the previous request completes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_idle_pconn_timeout 2 minutes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ftp_client_idle_timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# How long to wait for an FTP request on a connection to Squid ftp_port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Many FTP clients do not deal with idle connection closures well,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# necessitating a longer default timeout than client_idle_pconn_timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used for incoming HTTP requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ftp_client_idle_timeout 30 minutes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: client_lifetime time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The maximum amount of time a client (browser) is allowed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# remain connected to the cache process. This protects the Cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from having a lot of sockets (and hence file descriptors) tied up
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in a CLOSE_WAIT state from remote clients that go away without
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# properly shutting down (either because of a network failure or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# because of a poor client implementation). The default is one
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# day, 1440 minutes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: The default value is intended to be much larger than any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client would ever need to be connected to your cache. You
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# should probably change client_lifetime only as a last resort.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you seem to have many client connections tying up
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# filedescriptors, we recommend first tuning the read_timeout,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request_timeout, persistent_request_timeout and quick_abort values.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_lifetime 1 day
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: pconn_lifetime time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Desired maximum lifetime of a persistent connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When set, Squid will close a now-idle persistent connection that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# exceeded configured lifetime instead of moving the connection into
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the idle connection pool (or equivalent). No effect on ongoing/active
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transactions. Connection lifetime is the time period from the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection acceptance or opening time until "now".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This limit is useful in environments with long-lived connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# where Squid configuration or environmental factors change during a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# single connection lifetime. If unrestricted, some connections may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# last for hours and even days, ignoring those changes that should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have affected their behavior or their existence.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Currently, a new lifetime value supplied via Squid reconfiguration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has no effect on already idle connections unless they become busy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When set to '0' this limit is not used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pconn_lifetime 0 seconds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: half_closed_clients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some clients may shutdown the sending side of their TCP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections, while leaving their receiving sides open. Sometimes,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid can not tell the difference between a half-closed and a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fully-closed TCP connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, Squid will immediately close client connections when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# read(2) returns "no more data to read."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Change this option to 'on' and Squid will keep open connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# until a read(2) or write(2) on the socket returns an error.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This may show some benefits for reverse proxies. But if not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it is recommended to leave OFF.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# half_closed_clients off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: server_idle_pconn_timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Timeout for idle persistent connections to servers and other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server_idle_pconn_timeout 1 minute
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ident_timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum time to wait for IDENT lookups to complete.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this is too high, and you enabled IDENT lookups from untrusted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# users, you might be susceptible to denial-of-service by having
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# many ident requests going at once.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ident_timeout 10 seconds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: shutdown_lifetime time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When SIGTERM or SIGHUP is received, the cache is put into
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "shutdown pending" mode until all active sockets are closed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This value is the lifetime to set for all open descriptors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# during shutdown mode. Any active clients after this many
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# seconds will receive a 'timeout' message.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shutdown_lifetime 30 seconds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Make this significantly less than daemondo's kChildDeathTimeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to avoid multiple squid processes at boot or on network change
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# const CFTimeInterval kChildDeathTimeout = 20;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+shutdown_lifetime 5 seconds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ADMINISTRATIVE PARAMETERS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_mgr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Email-address of local cache manager who will receive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail if the cache dies. The default is "webmaster".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_mgr webmaster
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: mail_from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# From: email-address for mail sent when the cache dies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is to use 'squid@unique_hostname'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: unique_hostname directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: mail_program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Email program used to send mail if the cache dies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is "mail". The specified program must comply
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with the standard Unix mail syntax:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail-program recipient < mailfile
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Optional command line options can be specified.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mail_program mail
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_effective_user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you start Squid as root, it will change its effective/real
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# UID/GID to the user specified below. The default is to change
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to UID of squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# see also; cache_effective_group
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_effective_user squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_effective_group
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid sets the GID to the effective user's default group ID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (taken from the password file) and supplementary group list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from the groups membership.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want Squid to run with a specific GID regardless of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the group memberships of the effective user then set this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to the group (or GID) you want Squid to run as. When set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# all other group privileges of the effective user are ignored
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and only this GID is effective. If Squid is not started as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# root the user starting Squid MUST be member of the specified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# group.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is not recommended by the Squid Team.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Our preference is for administrators to configure a secure
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user account for squid with UID/GID matching system policies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use system group memberships of the cache_effective_user account
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: httpd_suppress_version_string on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Suppress Squid version string info in HTTP headers and HTML error pages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# httpd_suppress_version_string off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: visible_hostname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to present a special hostname in error messages, etc,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# define this. Otherwise, the return value of gethostname()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be used. If you have multiple caches in a cluster and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# get errors about IP-forwarding you must set them to have individual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# names with this setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Automatically detect the system host name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+visible_hostname localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: unique_hostname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to have multiple machines with the same
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'visible_hostname' you must give each machine a different
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'unique_hostname' so forwarding loops can be detected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Copy the value from visible_hostname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: hostname_aliases
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A list of other DNS names your cache has.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: umask
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Minimum umask which should be enforced while the proxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is running, in addition to the umask set at startup.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For a traditional octal representation of umasks, start
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# your value with 0.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# umask 027
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS FOR THE CACHE REGISTRATION SERVICE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This section contains parameters for the (optional) cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# announcement service. This service is provided to help
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache administrators locate one another in order to join or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# create cache hierarchies.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An 'announcement' message is sent (via UDP) to the registration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service by Squid. By default, the announcement message is NOT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SENT unless you enable it with 'announce_period' below.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The announcement message includes your hostname, plus the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# following information from this configuration file:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icp_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_mgr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# All current information is processed regularly and made
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# available on the Web at http://www.ircache.net/Cache/Tracker/.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: announce_period
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is how frequently to send cache announcements.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To enable announcing your cache, just set an announce period.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# announce_period 1 day
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Announcement messages disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: announce_host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set the hostname where announce registration messages will be sent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also announce_port and announce_file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# announce_host tracker.ircache.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: announce_file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The contents of this file will be included in the announce
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# registration messages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: announce_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set the port where announce registration messages will be sent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also announce_host and announce_file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# announce_port 3131
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTPD-ACCELERATOR OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: httpd_accel_surrogate_id
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Surrogates (http://www.esi.org/architecture_spec_1.0.html)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# need an identification token to allow control targeting. Because
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a farm of surrogates may all perform the same tasks, they may share
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an identification token.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# visible_hostname is used if no specific ID is set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: http_accel_surrogate_remote on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remote surrogates (such as those in a CDN) honour the header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "Surrogate-Control: no-store-remote".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set this to on to have squid behave as a remote surrogate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_accel_surrogate_remote off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: esi_parser libxml2|expat
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Selects the XML parsing library to use when interpreting responses with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Edge Side Includes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To disable ESI handling completely, ./configure Squid with --disable-esi.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Selects libxml2 if available at ./configure time or libexpat otherwise.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DELAY POOL PARAMETERS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: delay_pools
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This represents the number of delay pools to be used. For example,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if you have one class 2 delay pool and one class 3 delays pool, you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have a total of 2 delay pools.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also delay_parameters, delay_class, delay_access for pool
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_pools 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: delay_class
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This defines the class of each delay pool. There must be exactly one
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_class line for each delay pool. For example, to define two
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay pools, one of class 2 and one of class 3, the settings above
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and here would be:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_pools 4 # 4 delay pools
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_class 1 2 # pool 1 is a class 2 pool
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_class 2 3 # pool 2 is a class 3 pool
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_class 3 4 # pool 3 is a class 4 pool
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_class 4 5 # pool 4 is a class 5 pool
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The delay pool classes are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# class 1 Everything is limited by a single aggregate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bucket.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# class 2 Everything is limited by a single aggregate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bucket as well as an "individual" bucket chosen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from bits 25 through 32 of the IPv4 address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# class 3 Everything is limited by a single aggregate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bucket as well as a "network" bucket chosen
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from bits 17 through 24 of the IP address and a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "individual" bucket chosen from bits 17 through
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 32 of the IPv4 address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# class 4 Everything in a class 3 delay pool, with an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# additional limit on a per user basis. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only takes effect if the username is established
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in advance - by forcing authentication in your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_access rules.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# class 5 Requests are grouped according their tag (see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# external_acl's tag= reply).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each pool also requires a delay_parameters directive to configure the pool size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and speed limits used whenever the pool is applied to a request. Along with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a set of delay_access directives to determine when it is used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: If an IP address is a.b.c.d
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -> bits 25 through 32 are "d"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -> bits 17 through 24 are "c"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -> bits 17 through 32 are "c * 256 + d"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also delay_parameters and delay_access.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: delay_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is used to determine which delay pool a request falls into.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_access is sorted per pool and the matching starts with pool 1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# then pool 2, ..., and finally pool N. The first delay pool where the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request is allowed is selected for the request. If it does not allow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the request to any pool then the request is not delayed (default).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example, if you want some_big_clients in delay
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pool 1 and lotsa_little_clients in delay pool 2:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_access 1 allow some_big_clients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_access 1 deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_access 2 allow lotsa_little_clients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_access 2 deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_access 3 allow authenticated_clients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also delay_parameters and delay_class.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny using the pool, unless allow rules exist in squid.conf for the pool.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: delay_parameters
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This defines the parameters for a delay pool. Each delay pool has
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a number of "buckets" associated with it, as explained in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# description of delay_class.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For a class 1 delay pool, the syntax is:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_class pool 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_parameters pool aggregate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For a class 2 delay pool:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_class pool 2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_parameters pool aggregate individual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For a class 3 delay pool:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_class pool 3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_parameters pool aggregate network individual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For a class 4 delay pool:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_class pool 4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_parameters pool aggregate network individual user
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For a class 5 delay pool:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_class pool 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_parameters pool tagrate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The option variables are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pool a pool number - ie, a number between 1 and the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# number specified in delay_pools as used in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_class lines.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# aggregate the speed limit parameters for the aggregate bucket
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (class 1, 2, 3).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# individual the speed limit parameters for the individual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# buckets (class 2, 3).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# network the speed limit parameters for the network buckets
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (class 3).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# user the speed limit parameters for the user buckets
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (class 4).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tagrate the speed limit parameters for the tag buckets
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (class 5).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A pair of delay parameters is written restore/maximum, where restore is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the number of bytes (not bits - modem and network speeds are usually
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# quoted in bits) per second placed into the bucket, and maximum is the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maximum number of bytes which can be in the bucket at any time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# There must be one delay_parameters line for each delay pool.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example, if delay pool number 1 is a class 2 delay pool as in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# above example, and is being used to strictly limit each host to 64Kbit/sec
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (plus overheads), with no overall limit, the line is:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_parameters 1 none 8000/8000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that 8 x 8K Byte/sec -> 64K bit/sec.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that the word 'none' is used to represent no limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# And, if delay pool number 2 is a class 3 delay pool as in the above
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# example, and you want to limit it to a total of 256Kbit/sec (strict limit)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with each 8-bit network permitted 64Kbit/sec (strict limit) and each
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# individual host permitted 4800bit/sec with a bucket maximum size of 64Kbits
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to permit a decent web page to be downloaded at a decent speed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (if the network is not being limited due to overuse) but slow down
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# large downloads more significantly:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_parameters 2 32000/32000 8000/8000 600/8000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that 8 x 32K Byte/sec -> 256K bit/sec.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 8 x 8K Byte/sec -> 64K bit/sec.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 8 x 600 Byte/sec -> 4800 bit/sec.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Finally, for a class 4 delay pool as in the example - each user will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be limited to 128Kbits/sec no matter how many workstations they are logged into.:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also delay_class and delay_access.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: delay_initial_bucket_level (percent, 0-100)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The initial bucket percentage is used to determine how much is put
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in each bucket when squid starts, is reconfigured, or first notices
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a host accessing it (in class 2 and class 3, individual hosts and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# networks only have buckets associated with them once they have been
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "seen" by squid).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay_initial_bucket_level 50
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CLIENT DELAY POOL PARAMETERS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: client_delay_pools
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option specifies the number of client delay pools used. It must
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preceed other client_delay_* options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_delay_pools 2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also client_delay_parameters and client_delay_access.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_delay_pools 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: client_delay_initial_bucket_level (percent, 0-no_limit)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option determines the initial bucket size as a percentage of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max_bucket_size from client_delay_parameters. Buckets are created
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# at the time of the "first" connection from the matching IP. Idle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# buckets are periodically deleted up.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You can specify more than 100 percent but note that such "oversized"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# buckets are not refilled until their size goes down to max_bucket_size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from client_delay_parameters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_delay_initial_bucket_level 50
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_delay_initial_bucket_level 50
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: client_delay_parameters
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option configures client-side bandwidth limits using the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# following format:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_delay_parameters pool speed_limit max_bucket_size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pool is an integer ID used for client_delay_access matching.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# speed_limit is bytes added to the bucket per second.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max_bucket_size is the maximum size of a bucket, enforced after any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# speed_limit additions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Please see the delay_parameters option for more information and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# examples.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_delay_parameters 1 1024 2048
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_delay_parameters 2 51200 16384
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also client_delay_access.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: client_delay_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option determines the client-side delay pool for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_delay_access pool_ID allow|deny acl_name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# All client_delay_access options are checked in their pool ID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# order, starting with pool 1. The first checked pool with allowed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request is selected for the request. If no ACL matches or there
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are no client_delay_access options, the request bandwidth is not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limited.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The ACL-selected pool is then used to find the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_delay_parameters for the request. Client-side pools are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not used to aggregate clients. Clients are always aggregated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# based on their source IP addresses (one bucket per source IP).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Additionally, only the client TCP connection details are available.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ACLs testing HTTP properties will not work.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Please see delay_access for more examples.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_delay_access 1 allow low_rate_network
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_delay_access 2 allow vips_network
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also client_delay_parameters and client_delay_pools.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wccp_router
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this option to define your WCCP ``home'' router for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp_router supports a single WCCP(v1) router
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp2_router supports multiple WCCPv2 routers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only one of the two may be used at the same time and defines
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which version of WCCP to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WCCP disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wccp2_router
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this option to define your WCCP ``home'' router for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp_router supports a single WCCP(v1) router
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp2_router supports multiple WCCPv2 routers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only one of the two may be used at the same time and defines
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which version of WCCP to use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WCCPv2 disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wccp_version
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive is only relevant if you need to set up WCCP(v1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to some very old and end-of-life Cisco routers. In all other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# setups it must be left unset or at the default setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It defines an internal version in the WCCP(v1) protocol,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with version 4 being the officially documented protocol.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# According to some users, Cisco IOS 11.2 and earlier only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# support WCCP version 3. If you're using that or an earlier
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# version of IOS, you may need to change this value to 3, otherwise
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# do not specify this parameter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp_version 4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wccp2_rebuild_wait
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this is enabled Squid will wait for the cache dir rebuild to finish
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# before sending the first wccp2 HereIAm packet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp2_rebuild_wait on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wccp2_forwarding_method
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WCCP2 allows the setting of forwarding methods between the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# router/switch and the cache. Valid values are as follows:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Currently (as of IOS 12.4) cisco routers only support GRE.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cisco switches only support the L2 redirect assignment method.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp2_forwarding_method gre
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wccp2_return_method
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WCCP2 allows the setting of return methods between the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# router/switch and the cache for packets that the cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# decides not to handle. Valid values are as follows:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Currently (as of IOS 12.4) cisco routers only support GRE.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Cisco switches only support the L2 redirect assignment.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the "ip wccp redirect exclude in" command has been
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enabled on the cache interface, then it is still safe for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the proxy server to use a l2 redirect method even if this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option is set to GRE.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp2_return_method gre
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wccp2_assignment_method
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WCCP2 allows the setting of methods to assign the WCCP hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Valid values are as follows:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hash - Hash assignment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mask - Mask assignment
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# As a general rule, cisco routers support the hash assignment method
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and cisco switches support the mask assignment method.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp2_assignment_method hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wccp2_service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WCCP2 allows for multiple traffic services. There are two
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# types: "standard" and "dynamic". The standard type defines
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# one service id - http (id 0). The dynamic service ids can be from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 51 to 255 inclusive. In order to use a dynamic service id
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# one must define the type of traffic to be redirected; this is done
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using the wccp2_service_info option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The "standard" type does not require a wccp2_service_info option,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# just specifying the service id will suffice.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# MD5 service authentication can be enabled by adding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "password=<password>" to the end of this service declaration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Examples:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp2_service standard 0 # for the 'web-cache' standard service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp2_service dynamic 80 # a dynamic service type which will be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # fleshed out with subsequent options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp2_service standard 0 password=foo
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use the 'web-cache' standard service.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wccp2_service_info
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dynamic WCCPv2 services require further information to define the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# traffic you wish to have diverted.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The format is:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp2_service_info <id> protocol=<protocol> flags=<flag>,<flag>..
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# priority=<priority> ports=<port>,<port>..
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The relevant WCCPv2 flags:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# + src_ip_hash, dst_ip_hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# + source_port_hash, dst_port_hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# + src_ip_alt_hash, dst_ip_alt_hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# + src_port_alt_hash, dst_port_alt_hash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# + ports_source
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The port list can be one to eight entries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# priority=240 ports=80
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: the service id must have been defined by a previous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'wccp2_service dynamic <id>' entry.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wccp2_weight
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each cache server gets assigned a set of the destination
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hash proportional to their weight.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# wccp2_weight 10000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wccp_address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this option if you require WCCPv2 to use a specific
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# interface address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default behavior is to not bind to any specific address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Address selected by the operating system.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: wccp2_address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this option if you require WCCP to use a specific
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# interface address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default behavior is to not bind to any specific address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Address selected by the operating system.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# PERSISTENT CONNECTION HANDLING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Also see "pconn_timeout" in the TIMEOUTS section
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: client_persistent_connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Persistent connection support for clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid uses persistent connections (when allowed). You can use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this option to disable persistent connections with clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_persistent_connections on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: server_persistent_connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Persistent connection support for servers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid uses persistent connections (when allowed). You can use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this option to disable persistent connections with servers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server_persistent_connections on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: persistent_connection_after_error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With this directive the use of persistent connections after
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP errors can be disabled. Useful if you have clients
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# who fail to handle errors on persistent connections proper.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# persistent_connection_after_error on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: detect_broken_pconn
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some servers have been found to incorrectly signal the use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of HTTP/1.0 persistent connections even on replies not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# compatible, causing significant delays. This server problem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has mostly been seen on redirects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By enabling this directive Squid attempts to detect such
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# broken replies and automatically assume the reply is finished
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# after 10 seconds timeout.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# detect_broken_pconn off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CACHE DIGEST OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: digest_generation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-cache-digests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This controls whether the server will generate a Cache Digest
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of its contents. By default, Cache Digest generation is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# enabled if Squid is compiled with --enable-cache-digests defined.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# digest_generation on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: digest_bits_per_entry
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-cache-digests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the number of bits of the server's Cache Digest which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be associated with the Digest entry for a given HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Method and URL (public key) combination. The default is 5.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# digest_bits_per_entry 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: digest_rebuild_period (seconds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-cache-digests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the wait time between Cache Digest rebuilds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# digest_rebuild_period 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: digest_rewrite_period (seconds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-cache-digests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the wait time between Cache Digest writes to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disk.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# digest_rewrite_period 1 hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: digest_swapout_chunk_size (bytes)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-cache-digests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the number of bytes of the Cache Digest to write to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disk at a time. It defaults to 4096 bytes (4KB), the Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default swap page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# digest_swapout_chunk_size 4096 bytes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: digest_rebuild_chunk_percentage (percent, 0-100)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-cache-digests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the percentage of the Cache Digest to be scanned at a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# time. By default it is set to 10% of the Cache Digest.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# digest_rebuild_chunk_percentage 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SNMP OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: snmp_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The port number where Squid listens for SNMP requests. To enable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SNMP support set this to a suitable port number. Port number
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3401 is often used for the Squid SNMP agent. By default it's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# set to "0" (disabled)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# snmp_port 3401
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SNMP disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: snmp_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allowing or denying access to the SNMP port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# All access to the agent is denied by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# usage:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# snmp_access allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# snmp_access allow snmppublic localhost
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# snmp_access deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny, unless rules exist in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: snmp_incoming_address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Just like 'udp_incoming_address', but for the SNMP port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# snmp_incoming_address is used for the SNMP socket receiving
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# messages from SNMP agents.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default snmp_incoming_address is to listen on all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# available network interfaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Accept SNMP packets from all machine interfaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: snmp_outgoing_address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Just like 'udp_outgoing_address', but for the SNMP port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# snmp_outgoing_address is used for SNMP packets returned to SNMP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# agents.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If snmp_outgoing_address is not set it will use the same socket
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as snmp_incoming_address. Only change this if you want to have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SNMP replies sent using another address than where this Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# listens for SNMP queries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE, snmp_incoming_address and snmp_outgoing_address can not have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the same value since they both use the same port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use snmp_incoming_address or an address selected by the operating system.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICP OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icp_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The port number where Squid sends and receives ICP queries to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and from neighbor caches. The standard UDP port for ICP is 3130.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icp_port 3130
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICP disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: htcp_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The port number where Squid sends and receives HTCP queries to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and from neighbor caches. To turn it on you want to set it to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4827.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# htcp_port 4827
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTCP disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: log_icp_queries on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set, ICP queries are logged to access.log. You may wish
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# do disable this if your ICP load is VERY high to speed things
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# up or to simplify log analysis.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# log_icp_queries on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+log_icp_queries off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: udp_incoming_address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# udp_incoming_address is used for UDP packets received from other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# caches.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default behavior is to not bind to any specific address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only change this if you want to have all UDP queries received on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a specific interface/address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modules. Altering it will affect all of them in the same manner.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# see also; udp_outgoing_address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE, udp_incoming_address and udp_outgoing_address can not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have the same value since they both use the same port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Accept packets from all machine interfaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: udp_outgoing_address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# udp_outgoing_address is used for UDP packets sent out to other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# caches.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default behavior is to not bind to any specific address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Instead it will use the same socket as udp_incoming_address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only change this if you want to have UDP queries sent using another
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# address than where this Squid listens for UDP queries from other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# caches.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# modules. Altering it will affect all of them in the same manner.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# see also; udp_incoming_address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE, udp_incoming_address and udp_outgoing_address can not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have the same value since they both use the same port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use udp_incoming_address or an address selected by the operating system.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icp_hit_stale on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to return ICP_HIT for stale cache objects, set this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option to 'on'. If you have sibling relationships with caches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in other administrative domains, this should be 'off'. If you only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have sibling relationships with caches under your control,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it is probably okay to set this to 'on'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to 'on', your siblings should use the option "allow-miss"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on their cache_peer lines for connecting to you.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icp_hit_stale off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: minimum_direct_hops
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If using the ICMP pinging stuff, do direct fetches for sites
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which are no more than this many hops away.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# minimum_direct_hops 4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: minimum_direct_rtt (msec)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If using the ICMP pinging stuff, do direct fetches for sites
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which are no more than this many rtt milliseconds away.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# minimum_direct_rtt 400
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: netdb_low
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The low water mark for the ICMP measurement database.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: high watermark controlled by netdb_high directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# These watermarks are counts, not percents. The defaults are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (low) 900 and (high) 1000. When the high water mark is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reached, database entries will be deleted until the low
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mark is reached.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# netdb_low 900
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: netdb_high
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The high water mark for the ICMP measurement database.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: low watermark controlled by netdb_low directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# These watermarks are counts, not percents. The defaults are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (low) 900 and (high) 1000. When the high water mark is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reached, database entries will be deleted until the low
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mark is reached.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# netdb_high 1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: netdb_ping_period
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The minimum period for measuring a site. There will be at
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# least this much delay between successive pings to the same
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# network. The default is five minutes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# netdb_ping_period 5 minutes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: query_icmp on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to ask your peers to include ICMP data in their ICP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# replies, enable this option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If your peer has configured Squid (during compilation) with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# '--enable-icmp' that peer will send ICMP pings to origin server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sites of the URLs it receives. If you enable this option the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICP replies from that peer will include the ICMP data (if available).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Then, when choosing a parent cache, Squid will choose the parent with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the minimal RTT to the origin server. When this happens, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hierarchy field of the access.log will be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "CLOSEST_PARENT_MISS". This option is off by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# query_icmp off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: test_reachability on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instead of ICP_MISS if the target host is NOT in the ICMP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# database, or has a zero RTT.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# test_reachability off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icp_query_timeout (msec)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Normally Squid will automatically determine an optimal ICP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# query timeout value based on the round-trip-time of recent ICP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queries. If you want to override the value determined by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid, set this 'icp_query_timeout' to a non-zero value. This
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value is specified in MILLISECONDS, so, to use a 2-second
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# timeout (the old default), you would write:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icp_query_timeout 2000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dynamic detection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: maximum_icp_query_timeout (msec)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Normally the ICP query timeout is determined dynamically. But
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sometimes it can lead to very large values (say 5 seconds).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this option to put an upper limit on the dynamic timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value. Do NOT use this option to always use a fixed (instead
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of a dynamic) timeout value. To set a fixed timeout see the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'icp_query_timeout' directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maximum_icp_query_timeout 2000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: minimum_icp_query_timeout (msec)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Normally the ICP query timeout is determined dynamically. But
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sometimes it can lead to very small timeouts, even lower than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the normal latency variance on your link due to traffic.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this option to put an lower limit on the dynamic timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value. Do NOT use this option to always use a fixed (instead
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of a dynamic) timeout value. To set a fixed timeout see the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'icp_query_timeout' directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# minimum_icp_query_timeout 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: background_ping_rate time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Controls how often the ICP pings are sent to siblings that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have background-ping set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# background_ping_rate 10 seconds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# MULTICAST ICP OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: mcast_groups
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This tag specifies a list of multicast groups which your server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# should join to receive multicasted ICP queries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE! Be very careful what you put here! Be sure you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# understand the difference between an ICP _query_ and an ICP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# _reply_. This option is to be set only if you want to RECEIVE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# multicast queries. Do NOT set this option to SEND multicast
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICP (use cache_peer for that). ICP replies are always sent via
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# unicast, so this option does not affect whether or not you will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# receive replies from multicast group members.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You must be very careful to NOT use a multicast address which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is already in use by another group of caches.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you are unsure about multicast, please read the Multicast
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: mcast_groups 239.128.16.128 224.0.1.20
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, Squid doesn't listen on any multicast groups.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: mcast_miss_addr
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -DMULTICAST_MISS_STREAM define
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you enable this option, every "cache miss" URL will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be sent out on the specified multicast address.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not enable this option unless you are are absolutely
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certain you understand what you are doing.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: mcast_miss_ttl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -DMULTICAST_MISS_STREAM define
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the time-to-live value for packets multicasted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when multicasting off cache miss URLs is enabled. By
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default this is set to 'site scope', i.e. 16.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mcast_miss_ttl 16
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: mcast_miss_port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -DMULTICAST_MISS_STREAM define
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the port number to be used in conjunction with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'mcast_miss_addr'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mcast_miss_port 3135
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: mcast_miss_encode_key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -DMULTICAST_MISS_STREAM define
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The URLs that are sent in the multicast miss stream are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# encrypted. This is the encryption key.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mcast_miss_encode_key XXXXXXXXXXXXXXXX
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: mcast_icp_query_timeout (msec)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For multicast peers, Squid regularly sends out ICP "probes" to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# count how many other peers are listening on the given multicast
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# address. This value specifies how long Squid should wait to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# count all the replies. The default is 2000 msec, or 2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mcast_icp_query_timeout 2000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# INTERNAL ICON OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icon_directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Where the icons are stored. These are normally kept in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# @PREFIX@/share/squid/icons
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icon_directory @PREFIX@/share/squid/icons
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: global_internal_static
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive controls is Squid should intercept all requests for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# /squid-internal-static/ no matter which host the URL is requesting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (default on setting), or if nothing special should be done for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# such URLs (off setting). The purpose of this directive is to make
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icons etc work better in complex cache hierarchies where it may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not always be possible for all corners in the cache mesh to reach
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the server generating a directory listing.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# global_internal_static on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: short_icon_urls
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this is enabled Squid will use short URLs for icons.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If disabled it will revert to the old behavior of including
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it's own name and port in the URL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you run a complex cache hierarchy with a mix of Squid and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# other proxies you may need to disable this directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# short_icon_urls on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ERROR PAGE OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: error_directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you wish to create your own versions of the default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# error files to customize them to suit your company copy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the error/template files to another directory and point
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this tag at them.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: This option will disable multi-language support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on error pages if used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The squid developers are interested in making squid available in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a wide variety of languages. If you are making translations for a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# language that Squid does not currently provide please consider
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# contributing your translation back to the project.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki.squid-cache.org/Translations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The squid developers working on translations are happy to supply drop-in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# translated error files in exchange for any new language contributions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Send error pages in the clients preferred language
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: error_default_language
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set the default language which squid will send error pages in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if no existing translation matches the clients language
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preferences.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If unset (default) generic English will be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The squid developers are interested in making squid available in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a wide variety of languages. If you are interested in making
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# translations for any language see the squid wiki for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http://wiki.squid-cache.org/Translations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Generate English language pages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: error_log_languages
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Log to cache.log what languages users are attempting to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auto-negotiate for translations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Successful negotiations are not logged. Only failures
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# have meaning to indicate that Squid may need an upgrade
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of its error page translations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# error_log_languages on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: err_page_stylesheet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# CSS Stylesheet to pattern the display of Squid default error pages.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For information on CSS see http://www.w3.org/Style/CSS/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# err_page_stylesheet @PREFIX@/etc/squid/errorpage.css
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: err_html_text
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTML text to include in error messages. Make this a "mailto"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# URL to your admin address, or maybe just a link to your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# organizations Web page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To include this in your error messages, you must rewrite
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the error template files (found in the "errors" directory).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Wherever you want the 'err_html_text' line to appear,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# insert a %L tag in the error template file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: email_err_data on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If enabled, information about the occurred error will be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# included in the mailto links of the ERR pages (if %W is set)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# so that the email body contains the data.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Syntax is <A HREF="mailto:%w%W">%w</A>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# email_err_data on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: deny_info
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: deny_info err_page_name acl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or deny_info http://... acl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or deny_info TCP_RESET acl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This can be used to return a ERR_ page for requests which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# do not pass the 'http_access' rules. Squid remembers the last
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl it evaluated in http_access, and if a 'deny_info' line exists
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for that ACL Squid returns a corresponding error page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The acl is typically the last acl on the http_access deny line which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# denied access. The exceptions to this rule are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - When Squid needs to request authentication credentials. It's then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the first authentication related acl encountered
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - When none of the http_access lines matches. It's then the last
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl processed on the last http_access line.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - When the decision to deny access was made by an adaptation service,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the acl name is the corresponding eCAP or ICAP service_name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NP: If providing your own custom error pages with error_directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you may also specify them by your custom file name:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may be specified by prefixing the file name with the code and a colon.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# e.g. 404:ERR_CUSTOM_ACCESS_DENIED
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Alternatively you can tell Squid to reset the TCP connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by specifying TCP_RESET.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Or you can specify an error URL or URL pattern. The browsers will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# get redirected to the specified URL after formatting tags have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# been replaced. Redirect will be done with 302 or 307 according to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP/1.1 specs. A different 3xx code may be specified by prefixing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the URL. e.g. 303:http://example.com/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# URL FORMAT TAGS:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %a - username (if available. Password NOT included)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %B - FTP path URL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %e - Error number
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %E - Error description
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %h - Squid hostname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %H - Request domain name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %i - Client IP Address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %M - Request Method
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %O - Unescaped message result from external ACL helper
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %o - Message result from external ACL helper
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %p - Request Port number
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %P - Request Protocol name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %R - Request URL path
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %T - Timestamp in RFC 1123 format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %U - Full canonical URL from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (HTTPS URLs terminate with *)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %u - Full canonical URL from client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %w - Admin email from squid.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %x - Error name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# %% - Literal percent (%) code
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS INFLUENCING REQUEST FORWARDING
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: nonhierarchical_direct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, Squid will send any non-hierarchical requests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (not cacheable request type) direct to origin servers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When this is set to "off", Squid will prefer to send these
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests to parents.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that in most configurations, by turning this off you will only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# add latency to these request without any improvement in global hit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ratio.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option only sets a preference. If the parent is unavailable a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# direct connection to the origin server may still be attempted. To
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# completely prevent direct connections use never_direct.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# nonhierarchical_direct on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: prefer_direct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Normally Squid tries to use parents for most requests. If you for some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reason like it to first try going direct and only use a parent if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# going direct fails set this to on.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By combining nonhierarchical_direct off and prefer_direct on you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can set up Squid to use a parent as a backup path if going direct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fails.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: If you want Squid to use parents for all requests see
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the never_direct directive. prefer_direct only modifies how Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acts on cacheable requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# prefer_direct off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cache_miss_revalidate on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RFC 7232 defines a conditional request mechanism to prevent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# response objects being unnecessarily transferred over the network.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If that mechanism is used by the client and a cache MISS occurs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# it can prevent new cache entries being created.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option determines whether Squid on cache MISS will pass the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client revalidation request to the server or tries to fetch new
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# content for caching. It can be useful while the cache is mostly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# empty to more quickly have the cache populated by generating
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# non-conditional GETs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When set to 'on' (default), Squid will pass all client If-* headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to the server. This permits server responses without a cacheable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# payload to be delivered and on MISS no new cache entry is created.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When set to 'off' and if the request is cacheable, Squid will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# remove the clients If-Modified-Since and If-None-Match headers from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the request sent to the server. This requests a 200 status response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from the server to create a new cache entry with.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache_miss_revalidate on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: always_direct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: always_direct allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Here you can use ACL elements to specify requests which should
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ALWAYS be forwarded by Squid to the origin servers without using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# any peers. For example, to always directly forward requests for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# local servers ignoring any parents or siblings you may have use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# something like:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl local-servers dstdomain my.domain.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always_direct allow local-servers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To always forward FTP requests directly, use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl FTP proto FTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always_direct allow FTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: There is a similar, but opposite option named
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'never_direct'. You need to be aware that "always_direct deny
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# foo" is NOT the same thing as "never_direct allow foo". You
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may need to use a deny rule to exclude a more-specific case of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# some other rule. Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl local-external dstdomain external.foo.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl local-servers dstdomain .foo.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always_direct deny local-external
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always_direct allow local-servers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: If your goal is to make the client forward the request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directly to the origin server bypassing Squid then this needs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to be done in the client configuration. Squid configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can only tell Squid how Squid should fetch the object.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: This directive is not related to caching. The replies
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is cached as usual even if you use always_direct. To not cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the replies see the 'cache' directive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause supports both fast and slow acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Prevent any cache_peer being used for this request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not send AWS requests through Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl aws-domains dstdomain \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .aws.amazon.com \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .cloudfront.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+always_direct allow aws-domains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://www.privoxy.org/user-manual/config.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Define ACL for protocol FTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl ftp proto FTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+always_direct allow ftp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Direct to specified domain names
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#acl mydomainname dstdomain .mydomainname.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#always_direct allow mydomainname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not forward SSL requests to Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#always_direct allow SSL_ports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not send AWS requests through Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl aws-domains dstdomain \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .aws.amazon.com \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .cloudfront.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+always_direct allow aws-domains
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://www.privoxy.org/user-manual/config.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Define ACL for protocol FTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl ftp proto FTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+always_direct allow ftp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Direct to specified domain names
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#acl mydomainname dstdomain .mydomainname.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#always_direct allow mydomainname
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not forward SSL requests to Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+always_direct allow SSL_ports
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: never_direct
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: never_direct allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# never_direct is the opposite of always_direct. Please read
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the description for always_direct if you have not already.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With 'never_direct' you can use ACL elements to specify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests which should NEVER be forwarded directly to origin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# servers. For example, to force the use of a proxy for all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests, except those in your local domain use something like:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl local-servers dstdomain .foo.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# never_direct deny local-servers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# never_direct allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or if Squid is inside a firewall and there are local intranet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# servers inside the firewall use something like:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl local-intranet dstdomain .foo.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl local-external dstdomain external.foo.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always_direct deny local-external
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# always_direct allow local-intranet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# never_direct allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause supports both fast and slow acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow DNS results to be used for this request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://www.privoxy.org/user-manual/config.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Forward all the rest to Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+never_direct allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://www.privoxy.org/user-manual/config.html
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Forward all the rest to Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+never_direct allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ADVANCED NETWORKING OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: incoming_udp_average
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Heavy voodoo here. I can't even believe you are reading this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Are you crazy? Don't even think about adjusting these unless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you understand the algorithms in comm_select.c first!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# incoming_udp_average 6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: incoming_tcp_average
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Heavy voodoo here. I can't even believe you are reading this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Are you crazy? Don't even think about adjusting these unless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you understand the algorithms in comm_select.c first!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# incoming_tcp_average 4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: incoming_dns_average
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Heavy voodoo here. I can't even believe you are reading this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Are you crazy? Don't even think about adjusting these unless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you understand the algorithms in comm_select.c first!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# incoming_dns_average 4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: min_udp_poll_cnt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Heavy voodoo here. I can't even believe you are reading this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Are you crazy? Don't even think about adjusting these unless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you understand the algorithms in comm_select.c first!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# min_udp_poll_cnt 8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: min_dns_poll_cnt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Heavy voodoo here. I can't even believe you are reading this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Are you crazy? Don't even think about adjusting these unless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you understand the algorithms in comm_select.c first!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# min_dns_poll_cnt 8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: min_tcp_poll_cnt
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Heavy voodoo here. I can't even believe you are reading this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Are you crazy? Don't even think about adjusting these unless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# you understand the algorithms in comm_select.c first!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# min_tcp_poll_cnt 8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: accept_filter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FreeBSD:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The name of an accept(2) filter to install on Squid's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# listen socket(s). This feature is perhaps specific to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# FreeBSD and requires support in the kernel.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The 'httpready' filter delays delivering new connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to Squid until a full HTTP request has been received.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the accf_http(9) man page for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The 'dataready' filter delays delivering new connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to Squid until there is some data to process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the accf_dataready(9) man page for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Linux:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The 'data' filter delays delivering of new connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to Squid until there is some data to process by TCP_ACCEPT_DEFER.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# You may optionally specify a number of seconds to wait by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'data=N' where N is the number of seconds. Defaults to 30
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if not specified. See the tcp(7) man page for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#EXAMPLE:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## FreeBSD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#accept_filter httpready
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## Linux
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#accept_filter data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: client_ip_max_connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set an absolute limit on the number of connections a single
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client IP can use. Any more than this and Squid will begin to drop
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# new connections from the client until it closes some links.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections from the client. For finer control use the ACL access controls.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requires client_db to be enabled (the default).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: This may noticably slow down traffic received via external proxies
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or NAT devices and cause them to rebound error messages back to their clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: tcp_recv_bufsize (bytes)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Size of receive buffer to set for TCP sockets. Probably just
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as easy to change your kernel's default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Omit from squid.conf to use the default buffer size.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use operating system TCP defaults.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_enable on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to enable the ICAP module support, set this to on.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_enable off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_connect_timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This parameter specifies how long to wait for the TCP connect to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the requested ICAP server to complete before giving up and either
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# terminating the HTTP transaction or bypassing the failure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default for optional services is peer_connect_timeout.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default for essential services is connect_timeout.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this option is explicitly set, its value applies to all services.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_io_timeout time-units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This parameter specifies how long to wait for an I/O activity on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an established, active ICAP connection before giving up and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# either terminating the HTTP transaction or bypassing the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# failure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use read_timeout.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_service_failure_limit limit [in memory-depth time-units]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The limit specifies the number of failures that Squid tolerates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when establishing a new TCP connection with an ICAP service. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the number of failures exceeds the limit, the ICAP service is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not used for new ICAP requests until it is time to refresh its
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A negative value disables the limit. Without the limit, an ICAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service will not be considered down due to connectivity failures
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# between ICAP OPTIONS requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid forgets ICAP service failures older than the specified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value of memory-depth. The memory fading algorithm
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is approximate because Squid does not remember individual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# errors but groups them instead, splitting the option
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value into ten time slots of equal length.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When memory-depth is 0 and by default this option has no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# effect on service failure expiration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid always forgets failures when updating service settings
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using an ICAP OPTIONS transaction, regardless of this option
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # suspend service usage after 10 failures in 5 seconds:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_service_failure_limit 10 in 5 seconds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_service_failure_limit 10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_service_revival_delay
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The delay specifies the number of seconds to wait after an ICAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OPTIONS request failure before requesting the options again. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# failed ICAP service is considered "down" until fresh OPTIONS are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fetched.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The actual delay cannot be smaller than the hardcoded minimum
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay of 30 seconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_service_revival_delay 180
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_preview_enable on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The ICAP Preview feature allows the ICAP server to handle the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP message by looking only at the beginning of the message body
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or even without receiving the body at all. In some environments,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# previews greatly speedup ICAP processing.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# During an ICAP OPTIONS transaction, the server may tell Squid what
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP messages should be previewed and how big the preview should be.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid will not use Preview if the server did not request one.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To disable ICAP Preview for all ICAP services, regardless of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# individual ICAP server OPTIONS responses, set this option to "off".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#icap_preview_enable off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_preview_enable on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_preview_size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default size of preview data to be sent to the ICAP server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This value might be overwritten on a per server basis by OPTIONS requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No preview sent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_206_enable on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 206 (Partial Content) responses is an ICAP extension that allows the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP agents to optionally combine adapted and original HTTP message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# content. The decision to combine is postponed until the end of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP response. Squid supports Partial Content extension by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Activation of the Partial Content extension is negotiated with each
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP service during OPTIONS exchange. Most ICAP servers should handle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# negotation correctly even if they do not support the extension, but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# some might fail. To disable Partial Content support for all ICAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# services and to avoid any negotiation, set this option to "off".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_206_enable off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_206_enable on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_default_options_ttl
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default TTL value for ICAP OPTIONS responses that don't have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an Options-TTL header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_default_options_ttl 60
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_persistent_connections on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether or not Squid should use persistent connections to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an ICAP server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_persistent_connections on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: adaptation_send_client_ip on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If enabled, Squid shares HTTP client IP information with adaptation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For eCAP, Squid sets the libecap::metaClientIp transaction option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: adaptation_uses_indirect_client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_send_client_ip off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: adaptation_send_username on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This sends authenticated HTTP client username (if available) to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the adaptation service.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For ICAP, the username value is encoded based on the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_client_username_encode option and is sent using the header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specified by the icap_client_username_header option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_send_username off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_client_username_header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP request header name to use for adaptation_send_username.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_client_username_header X-Client-Username
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_client_username_encode on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether to base64 encode the authenticated client username.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_client_username_encode off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Defines a single ICAP service using the following format:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_service id vectoring_point uri [option ...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# id: ID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an opaque identifier or name which is used to direct traffic to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this specific service. Must be unique among all adaptation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# services in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This specifies at which point of transaction processing the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP service should be activated. *_postcache vectoring points
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are not yet supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uri: icap://servername:port/servicepath
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP server and service location.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icaps://servername:port/servicepath
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The "icap:" URI scheme is used for traditional ICAP server and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service location (default port is 1344, connections are not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# encrypted). The "icaps:" URI scheme is for Secure ICAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# services that use SSL/TLS-encrypted ICAP connections (by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default, on port 11344).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP does not allow a single service to handle both REQMOD and RESPMOD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transactions. Squid does not enforce that requirement. You can specify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# services with the same service_url and different vectoring_points. You
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# can even specify multiple identical services as long as their
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service_names differ.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To activate a service, use the adaptation_access directive. To group
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# services, use adaptation_service_chain and adaptation_service_set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Service options are separated by white space. ICAP services support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the following name=value options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bypass=on|off|1|0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to 'on' or '1', the ICAP service is treated as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# optional. If the service cannot be reached or malfunctions,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid will try to ignore any errors and process the message as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# if the service was not enabled. No all ICAP errors can be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bypassed. If set to 0, the ICAP service is treated as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# essential and all ICAP errors will result in an error page
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# returned to the HTTP client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Bypass is off by default: services are treated as essential.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# routing=on|off|1|0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to 'on' or '1', the ICAP service is allowed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dynamically change the current message adaptation plan by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# returning a chain of services to be used next. The services
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are specified using the X-Next-Services ICAP response header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value, formatted as a comma-separated list of service names.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each named service should be configured in squid.conf. Other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# services are ignored. An empty X-Next-Services value results
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in an empty plan which ends the current adaptation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dynamic adaptation plan may cross or cover multiple supported
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vectoring points in their natural processing order.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Routing is not allowed by default: the ICAP X-Next-Services
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# response header is ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ipv6=on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only has effect on split-stack systems. The default on those systems
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is to use IPv4-only connections. When set to 'on' this option will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# make Squid use IPv6-only connections to contact this ICAP service.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on-overload=block|bypass|wait|force
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the service Max-Connections limit has been reached, do
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# one of the following for each new ICAP transaction:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * block: send an HTTP error response to the client
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * bypass: ignore the "over-connected" ICAP service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * wait: wait (in a FIFO queue) for an ICAP connection slot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * force: proceed, ignoring the Max-Connections limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In SMP mode with N workers, each worker assumes the service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection limit is Max-Connections/N, even though not all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# workers may use a given service.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default value is "bypass" if service is bypassable,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# otherwise it is set to "wait".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# max-conn=number
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use the given number as the Max-Connections limit, regardless
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of the Max-Connections value given by the service, if any.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection-encryption=on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Determines the ICAP service effect on the connections_encrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The default is "on" for Secure ICAP services (i.e., those
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with the icaps:// service URIs scheme) and "off" for plain ICAP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# services.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Does not affect ICAP connections (e.g., does not turn Secure
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ICAP on or off).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ==== ICAPS / TLS OPTIONS ====
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# These options are used for Secure ICAP (icaps://....) services only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-cert=/path/to/ssl/certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A client X.509 certificate to use when connecting to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this ICAP server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-key=/path/to/ssl/key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The private key corresponding to the previous
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-cert= option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If tls-key= is not specified tls-cert= is assumed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reference a PEM file containing both the certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and private key.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-cipher=... The list of valid TLS/SSL ciphers to use when connecting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to this icap server.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-min-version=1.N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The minimum TLS protocol version to permit. To control
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SSLv3 use the tls-options= parameter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Supported Values: 1.0 (default), 1.1, 1.2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-options=... Specify various OpenSSL library options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NO_SSLv3 Disallow the use of SSLv3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SINGLE_DH_USE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Always create a new key when using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# temporary/ephemeral DH key exchanges
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ALL Enable various bug workarounds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# suggested as "harmless" by OpenSSL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Be warned that this reduces SSL/TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# strength to some attacks.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See the OpenSSL SSL_CTX_set_options documentation for a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# more complete list. Options relevant only to SSLv2 are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-cafile= PEM file containing CA certificates to use when verifying
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the icap server certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use to specify intermediate CA certificate(s) if not sent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by the server. Or the full CA chain for the server when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using the tls-default-ca=off flag.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# May be repeated to load multiple files.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-capath=... A directory containing additional CA certificates to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use when verifying the icap server certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requires OpenSSL or LibreSSL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-crlfile=... A certificate revocation list file to use when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# verifying the icap server certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-flags=... Specify various flags modifying the Squid TLS implementation:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DONT_VERIFY_PEER
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Accept certificates even if they fail to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# verify.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DONT_VERIFY_DOMAIN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Don't verify the icap server certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matches the server name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-default-ca[=off]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether to use the system Trusted CAs. Default is ON.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# tls-domain= The icap server name as advertised in it's certificate.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Used for verifying the correctness of the received icap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server certificate. If not specified the icap server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hostname extracted from ICAP URI will be used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Older icap_service format without optional named parameters is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deprecated but supported for backward compatibility.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#icap_service svcBlocker reqmod_precache icap://icap1.mydomain.net:1344/reqmod bypass=0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#icap_service svcLogger reqmod_precache icaps://icap2.mydomain.net:11344/reqmod routing=on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_class
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This deprecated option was documented to define an ICAP service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# chain, even though it actually defined a set of similar, redundant
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# services, and the chains were not supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To define a set of redundant services, please use the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_service_set directive. For service chains, use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_service_chain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option is deprecated. Please use adaptation_access, which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# has the same ICAP functionality, but comes with better
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# documentation, and eCAP support.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# eCAP OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ecap_enable on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-ecap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Controls whether eCAP support is enabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ecap_enable off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ecap_service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-ecap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Defines a single eCAP service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ecap_service id vectoring_point uri [option ...]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# id: ID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# an opaque identifier or name which is used to direct traffic to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# this specific service. Must be unique among all adaptation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# services in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This specifies at which point of transaction processing the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# eCAP service should be activated. *_postcache vectoring points
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are not yet supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uri: ecap://vendor/service_name?custom&cgi=style¶meters=optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid uses the eCAP service URI to match this configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# line with one of the dynamically loaded services. Each loaded
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# eCAP service must have a unique URI. Obtain the right URI from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the service provider.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To activate a service, use the adaptation_access directive. To group
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# services, use adaptation_service_chain and adaptation_service_set.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Service options are separated by white space. eCAP services support
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the following name=value options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bypass=on|off|1|0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to 'on' or '1', the eCAP service is treated as optional.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the service cannot be reached or malfunctions, Squid will try
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to ignore any errors and process the message as if the service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# was not enabled. No all eCAP errors can be bypassed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to 'off' or '0', the eCAP service is treated as essential
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and all eCAP errors will result in an error page returned to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Bypass is off by default: services are treated as essential.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# routing=on|off|1|0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to 'on' or '1', the eCAP service is allowed to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dynamically change the current message adaptation plan by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# returning a chain of services to be used next.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Dynamic adaptation plan may cross or cover multiple supported
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vectoring points in their natural processing order.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Routing is not allowed by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection-encryption=on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Determines the eCAP service effect on the connections_encrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Defaults to "on", which does not taint the master transaction
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# w.r.t. that ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Does not affect eCAP API calls.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Older ecap_service format without optional named parameters is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deprecated but supported for backward compatibility.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ecap_service s1 reqmod_precache ecap://filters.R.us/leakDetector?on_error=block bypass=off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#ecap_service s2 respmod_precache ecap://filters.R.us/virusFilter config=/etc/vf.cfg bypass=on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: loadable_modules
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-loadable-modules
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Instructs Squid to load the specified dynamic module(s) or activate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# preloaded module(s).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#loadable_modules @PREFIX@/lib/MinimalAdapter.so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# MESSAGE ADAPTATION OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: adaptation_service_set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Configures an ordered set of similar, redundant services. This is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# useful when hot standby or backup adaptation servers are available.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_service_set set_name service_name1 service_name2 ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The named services are used in the set declaration order. The first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# applicable adaptation service from the set is used first. The next
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# applicable service is tried if and only if the transaction with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# previous service fails and the message waiting to be adapted is still
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# intact.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When adaptation starts, broken services are ignored as if they were
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not a part of the set. A broken service is a down optional service.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The services in a set must be attached to the same vectoring point
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If all services in a set are optional then adaptation failures are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bypassable. If all services in the set are essential, then a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction failure with one service may still be retried using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# another service from the set, but when all services fail, the master
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction fails as well.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A set may contain a mix of optional and essential services, but that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is likely to lead to surprising results because broken services become
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignored (see above), making previously bypassable failures fatal.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Technically, it is the bypassability of the last failed service that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matters.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: adaptation_access adaptation_service_chain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#adaptation service_set svcLogger loggerLocal loggerRemote
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: adaptation_service_chain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Configures a list of complementary services that will be applied
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# one-by-one, forming an adaptation chain or pipeline. This is useful
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when Squid must perform different adaptations on the same message.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_service_chain chain_name service_name1 svc_name2 ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The named services are used in the chain declaration order. The first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# applicable adaptation service from the chain is used first. The next
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# applicable service is applied to the successful adaptation results of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the previous service in the chain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When adaptation starts, broken services are ignored as if they were
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not a part of the chain. A broken service is a down optional service.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Request satisfaction terminates the adaptation chain because Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# does not currently allow declaration of RESPMOD services at the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "reqmod_precache" vectoring point (see icap_service or ecap_service).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The services in a chain must be attached to the same vectoring point
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A chain may contain a mix of optional and essential services. If an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# essential adaptation fails (or the failure cannot be bypassed for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# other reasons), the master transaction fails. Otherwise, the failure
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is bypassed as if the failed adaptation service was not in the chain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: adaptation_access adaptation_service_set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#adaptation_service_chain svcRequest requestLogger urlFilter leakDetector
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: adaptation_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Sends an HTTP transaction to an ICAP or eCAP adaptation service.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_access service_name allow|deny [!]aclname...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_access set_name allow|deny [!]aclname...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# At each supported vectoring point, the adaptation_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# statements are processed in the order they appear in this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration file. Statements pointing to the following services
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are ignored (i.e., skipped without checking their ACL):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - services serving different vectoring points
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - "broken-but-bypassable" services
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - "up" services configured to ignore such transactions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (e.g., based on the ICAP Transfer-Ignore header).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When a set_name is used, all services in the set are checked
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# using the same rules, to find the first applicable one. See
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_service_set for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If an access list is checked and there is a match, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# processing stops: For an "allow" rule, the corresponding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation service is used for the transaction. For a "deny"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rule, no adaptation service is activated.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# It is currently not possible to apply more than one adaptation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# service at the same vectoring point to the same HTTP transaction.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: icap_service and ecap_service
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#adaptation_access service_1 allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allow, unless rules exist in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: adaptation_service_iteration_limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Limits the number of iterations allowed when applying adaptation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# services to a message. If your longest adaptation set or chain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# may have more than 16 services, increase the limit beyond its
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default value of 16. If detecting infinite iteration loops sooner
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is critical, make the iteration limit match the actual number
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of services in your longest adaptation set or chain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Infinite adaptation loops are most likely with routing services.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: icap_service routing=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_service_iteration_limit 16
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: adaptation_masterx_shared_names
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For each master transaction (i.e., the HTTP request and response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sequence, including all related ICAP and eCAP exchanges), Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maintains a table of metadata. The table entries are (name, value)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pairs shared among eCAP and ICAP exchanges. The table is destroyed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with the master transaction.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option specifies the table entry names that Squid must accept
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from and forward to the adaptation transactions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An ICAP REQMOD or RESPMOD transaction may set an entry in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shared table by returning an ICAP header field with a name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specified in adaptation_masterx_shared_names.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An eCAP REQMOD or RESPMOD transaction may set an entry in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shared table by implementing the libecap::visitEachOption() API
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to provide an option with a name specified in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_masterx_shared_names.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid will store and forward the set entry to subsequent adaptation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transactions within the same master transaction scope.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only one shared entry name is supported at this time.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+## share authentication information among ICAP services
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#adaptation_masterx_shared_names X-Subscriber-ID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: adaptation_meta
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option allows Squid administrator to add custom ICAP request
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# headers or eCAP options to Squid ICAP requests or eCAP transactions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use it to pass custom authentication tokens and other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction-state related meta information to an ICAP/eCAP service.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The addition of a meta header is ACL-driven:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_meta name value [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Processing for a given header name stops after the first ACL list match.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Thus, it is impossible to add two headers with the same name. If no ACL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lists match for a given header name, no such header is added. For
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # do not debug transactions except for those that need debugging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_meta X-Debug 1 needs_debugging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # log all transactions except for those that must remain secret
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_meta X-Log 1 !keep_secret
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # mark transactions from users in the "G 1" group
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The "value" parameter may be a regular squid.conf token or a "double
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# quoted string". Within the quoted string, use backslash (\) to escape
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# any character, which is currently only useful for escaping backslashes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and double quotes. For example,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "this string has one backslash (\\) and two \"quotes\""
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Used adaptation_meta header values may be logged via %note
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logformat code. If multiple adaptation_meta headers with the same name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are used during master transaction lifetime, the header values are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# logged in the order they were used and duplicate values are ignored
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (only the first repeated value will be logged).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_retry
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This ACL determines which retriable ICAP transactions are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# retried. Transactions that received a complete ICAP response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and did not have to consume or produce HTTP bodies to receive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that response are usually retriable.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_retry allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid automatically retries some ICAP I/O timeouts and errors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# due to persistent connection race conditions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: icap_retry_limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# icap_retry deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: icap_retry_limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Limits the number of retries allowed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Communication errors due to persistent connection race
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# conditions are unavoidable, automatically retried, and do not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# count against this limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: icap_retry
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No retries are allowed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DNS OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: check_hostnames
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For security and stability reasons Squid can check
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hostnames for Internet standard RFC compliance. If you want
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid to perform these checks turn this directive on.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# check_hostnames off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: allow_underscore
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Underscore characters is not strictly allowed in Internet hostnames
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but nevertheless used by many sites. Set this to off if you want
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid to be strict about the standard.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This check is performed only when check_hostnames is set to on.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow_underscore on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: dns_retransmit_interval
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Initial retransmit interval for DNS queries. The interval is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# doubled each time all configured DNS servers have been tried.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dns_retransmit_interval 5 seconds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: dns_timeout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DNS Query timeout. If no response is received to a DNS query
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# within this time all DNS servers for the queried domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are assumed to be unavailable.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dns_timeout 30 seconds
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: dns_packet_max
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum number of bytes packet size to advertise via EDNS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set to "none" to disable EDNS large packet support.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For legacy reasons DNS UDP replies will default to 512 bytes which
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is too small for many responses. EDNS provides a means for Squid to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# negotiate receiving larger responses back immediately without having
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to failover with repeat requests. Responses larger than this limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will retain the old behaviour of failover to TCP DNS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid has no real fixed limit internally, but allowing packet sizes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# over 1500 bytes requires network jumbogram support and is usually not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# necessary.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: The RFC also indicates that some older resolvers will reply
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with failure of the whole request if the extension is added. Some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# resolvers have already been identified which will reply with mangled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# EDNS response on occasion. Usually in response to many-KB jumbogram
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sizes being advertised by Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid will currently treat these both as an unable-to-resolve domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# even if it would be resolvable without EDNS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# EDNS disabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: dns_defnames on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Normally the RES_DEFNAMES resolver option is disabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (see res_init(3)). This prevents caches in a hierarchy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from interpreting single-component hostnames locally. To allow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid to handle single-component names, enable this option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Search for single-label domain names is disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: dns_multicast_local on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When set to on, Squid sends multicast DNS lookups on the local
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# network for domains ending in .local and .arpa.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This enables local servers and devices to be contacted in an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ad-hoc or zero-configuration network environment.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Search for .local and .arpa names is disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: dns_nameservers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this if you want to specify a list of DNS name servers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (IP addresses) to use instead of those given in your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# /etc/resolv.conf file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# On Windows platforms, if no value is specified here or in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the /etc/resolv.conf file, the list of DNS name servers are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# taken from the Windows registry, both static and dynamic DHCP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configurations are supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example: dns_nameservers 10.0.0.1 192.172.0.4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use operating system definitions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Google DNS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+dns_nameservers 8.8.8.8 4.4.4.4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use LAN IP with possible backup if you're running DNS yourself
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#dns_nameservers 10.0.1.3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: hosts_file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Location of the host-local IP name-address associations
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# database. Most Operating Systems have such a file on different
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# default locations:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - Un*X & Linux: /etc/hosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (%SystemRoot% value install default is c:\winnt)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (%SystemRoot% value install default is c:\windows)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - Windows 9x/Me: %windir%\hosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (%windir% value is usually c:\windows)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - Cygwin: /etc/hosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The file contains newline-separated definitions, in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# form ip_address_in_dotted_form name [name ...] names are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# whitespace-separated. Lines beginning with an hash (#)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# character are comments.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The file is checked at startup and upon configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to 'none', it won't be checked.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If append_domain is used, that domain will be added to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# domain-local (i.e. not containing any dot character) host
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# definitions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hosts_file /etc/hosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+hosts_file @PREFIX@/etc/@NAME@/hosts-hphosts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: append_domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Appends local domain name to hostnames without any dots in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# them. append_domain must begin with a period.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Be warned there are now Internet names with no dots in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# them using only top-domain names, so setting this may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cause some Internet sites to become unavailable.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# append_domain .yourdomain.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use operating system definitions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ignore_unknown_nameservers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default Squid checks that DNS responses are received
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from the same IP addresses they are sent to. If they
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# don't match, Squid ignores the response and writes a warning
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# message to cache.log. You can allow responses from unknown
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# nameservers by setting this option to 'off'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignore_unknown_nameservers on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: dns_v4_first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# With the IPv6 Internet being as fast or faster than IPv4 Internet
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for most networks Squid prefers to contact websites over IPv6.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option reverses the order of preference to make Squid contact
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dual-stack websites over IPv4 first. Squid will still perform both
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# IPv6 and IPv4 DNS lookups before connecting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option will restrict the situations under which IPv6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connectivity is used (and tested). Hiding network problems
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# which would otherwise be detected and warned about.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dns_v4_first off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ipcache_size (number of entries)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum number of DNS IP cache entries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ipcache_size 1024
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ipcache_size 16384
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ipcache_low (percent)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ipcache_low 90
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: ipcache_high (percent)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The size, low-, and high-water marks for the IP cache.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ipcache_high 95
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: fqdncache_size (number of entries)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Maximum number of FQDN cache entries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fqdncache_size 1024
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+fqdncache_size 1048576
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# MISCELLANEOUS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: configuration_includes_quoted_values on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set, Squid will recognize each "quoted string" after a configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# directive as a single parameter. The quotes are stripped before the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parameter value is interpreted or used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See "Values with spaces, quotes, and other special characters"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# section for more details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration_includes_quoted_values off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: memory_pools on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set, Squid will keep pools of allocated (but unused) memory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# available for future use. If memory is a premium on your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# system and you believe your malloc library outperforms Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# routines, disable this.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# memory_pools on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+memory_pools off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: memory_pools_limit (bytes)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Used only with memory_pools on:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# memory_pools_limit 50 MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to a non-zero value, Squid will keep at most the specified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limit of allocated (but unused) memory in memory pools. All free()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests that exceed this limit will be handled by your malloc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# library. Squid does not pre-allocate any memory, just safe-keeps
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# objects that otherwise would be free()d. Thus, it is safe to set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# memory_pools_limit to a reasonably high value even if your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configuration will use less memory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to none, Squid will keep all memory it can. That is, there
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will be no limit on the total amount of memory used for safe-keeping.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To disable memory allocation optimization, do not set
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# memory_pools_limit to 0 or none. Set memory_pools to "off" instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An overhead for maintaining memory pools is not taken into account
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when the limit is checked. This overhead is close to four bytes per
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# object kept. However, pools may actually _save_ memory because of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reduced memory thrashing in your malloc library.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# memory_pools_limit 5 MB
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: forwarded_for on|off|transparent|truncate|delete
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to "on", Squid will append your client's IP address
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in the HTTP requests it forwards. By default it looks like:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# X-Forwarded-For: 192.1.2.3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to "off", it will appear as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# X-Forwarded-For: unknown
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to "transparent", Squid will not alter the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# X-Forwarded-For header in any way.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to "delete", Squid will delete the entire
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# X-Forwarded-For header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to "truncate", Squid will remove all existing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# X-Forwarded-For entries, and place the client IP as the sole entry.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forwarded_for on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+forwarded_for off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: cachemgr_passwd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specify passwords for cachemgr operations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: cachemgr_passwd password action action ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Some valid actions are (see cache manager menu for a full list):
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 5min
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 60min
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# asndb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# authenticator
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cbdata
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# comm_incoming
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# config *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# counters
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# digest_stats
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dns
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# events
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# filedescriptors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fqdncache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# histograms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# info
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# io
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ipcache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# menu
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# netdb
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# non_peers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# objects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# offline_toggle *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pconn
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# peer_select
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reconfigure *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# redirector
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# refresh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server_list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shutdown *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# store_digest
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# storedir
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# utilization
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# via_headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# vm_objects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * Indicates actions which will not be performed without a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# valid password, others can be performed if not listed here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To disable an action, set the password to "disable".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To allow performing an action without a password, set the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# password to "none".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use the keyword "all" to set the same password for all actions.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cachemgr_passwd secret shutdown
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cachemgr_passwd lesssssssecret info stats/objects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cachemgr_passwd disable all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# No password. Actions which require password are denied.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: client_db on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you want to disable collecting per-client statistics,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# turn off client_db here.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client_db on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+client_db off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: refresh_all_ims on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When you enable this option, squid will always check
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the origin server for an update when a client sends an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If-Modified-Since request. Many browsers use IMS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests when the user requests a reload, and this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ensures those clients receive the latest version.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default (off), squid may return a Not Modified response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# based on the age of the cached version.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# refresh_all_ims off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: reload_into_ims on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When you enable this option, client no-cache or ``reload''
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests will be changed to If-Modified-Since requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Doing this VIOLATES the HTTP standard. Enabling this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# feature could make you liable for problems which it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# causes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# see also refresh_pattern for a more selective approach.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reload_into_ims off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: connect_retries
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Limits the number of reopening attempts when establishing a single
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TCP connection. All these attempts must still complete before the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# applicable connection opening timeout expires.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default and when connect_retries is set to zero, Squid does not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# retry failed connection opening attempts.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The (not recommended) maximum is 10 tries. An attempt to configure a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# higher value results in the value of 10 being used (with a warning).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid may open connections to retry various high-level forwarding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# failures. For an outside observer, that activity may look like a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# low-level connection reopening attempt, but those high-level retries
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are governed by forward_max_tries instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: connect_timeout, forward_timeout, icap_connect_timeout,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ident_timeout, and forward_max_tries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not retry failed connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: retry_on_error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If set to ON Squid will automatically retry requests when
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# receiving an error response with status 403 (Forbidden),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 500 (Internal Error), 501 or 503 (Service not available).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Status 502 and 504 (Gateway errors) are always retried.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is mainly useful if you are in a complex cache hierarchy to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# work around access control errors.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: This retry will attempt to find another working destination.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Which is different from the server which just failed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# retry_on_error off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: as_whois_server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WHOIS server to query for AS numbers. NOTE: AS numbers are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# queried only when Squid starts up, not for every request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as_whois_server whois.ra.net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: offline_mode
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Enable this option and Squid will never try to validate cached
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# objects.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# offline_mode off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: uri_whitespace
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# What to do with requests that have whitespace characters in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# URI. Options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# strip: The whitespace characters are stripped out of the URL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the behavior recommended by RFC2396 and RFC3986
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for tolerant handling of generic URI.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: This is one difference between generic URI and HTTP URLs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deny: The request is denied. The user receives an "Invalid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Request" message.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This is the behaviour recommended by RFC2616 for safe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# handling of HTTP request URL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allow: The request is allowed and the URI is not changed. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# whitespace characters remain in the URI. Note the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# whitespace is passed to redirector processes if they
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are in use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note this may be considered a violation of RFC2616
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request parsing where whitespace is prohibited in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# URL field.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# encode: The request is allowed and the whitespace characters are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# encoded according to RFC1738.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# chop: The request is allowed and the URI is chopped at the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# first whitespace.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE the current Squid implementation of encode and chop violates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RFC2616 by not using a 301 redirect after altering the URL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# uri_whitespace strip
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: chroot
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Specifies a directory where Squid should do a chroot() while
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# initializing. This also causes Squid to fully drop root
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# privileges after initializing. This means, for example, if you
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use a HTTP port less than 1024 and try to reconfigure, you may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# get an error saying that Squid can not open the port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: pipeline_prefetch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP clients may send a pipeline of 1+N requests to Squid using a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# single connection, without waiting for Squid to respond to the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of those requests. This option limits the number of concurrent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests Squid will try to handle in parallel. If set to N, Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# will try to receive and process up to 1+N requests on the same
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection concurrently.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Defaults to 0 (off) for bandwidth management and access logging
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reasons.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# NOTE: pipelining requires persistent connections to clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not pre-parse pipelined requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+pipeline_prefetch 3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: high_response_time_warning (msec)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the one-minute median response time exceeds this value,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid prints a WARNING with debug level 0 to get the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# administrators attention. The value is in milliseconds.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: high_page_fault_warning
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the one-minute average page fault rate exceeds this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# value, Squid prints a WARNING with debug level 0 to get
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the administrators attention. The value is in page faults
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# per second.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: high_memory_warning
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# GNU Malloc with mstats()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the memory usage (as determined by gnumalloc, if available and used)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# exceeds this amount, Squid prints a WARNING with debug level 0 to get
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the administrators attention.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# disabled.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: sleep_after_fork (microseconds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When this is set to a non-zero value, the main Squid process
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sleeps the specified number of microseconds after a fork()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# system call. This sleep may help the situation where your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# system reports fork() failures due to lack of (virtual)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# memory. Note, however, if you have a lot of child
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# processes, these sleep delays will add up and your
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid will not service requests for some amount of time
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# until all the child processes have been started.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# On Windows value less then 1000 (1 milliseconds) are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rounded to 1000.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# sleep_after_fork 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: windows_ipaddrchangemonitor on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# MS Windows
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# On Windows Squid by default will monitor IP address changes and will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reconfigure itself after any detected event. This is very useful for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxies connected to internet with dial-up interfaces.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In some cases (a Proxy server acting as VPN gateway is one) it could be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# desiderable to disable this behaviour setting this to 'off'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: after changing this, Squid service must be restarted.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# windows_ipaddrchangemonitor on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: eui_lookup
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Whether to lookup the EUI or MAC address of a connected client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# eui_lookup on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+eui_lookup off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: max_filedescriptors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Set the maximum number of filedescriptors, either below the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# operating system default or up to the hard limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove from squid.conf to inherit the current ulimit soft
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limit setting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: Changing this requires a restart of Squid. Also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not all I/O types supports large values (eg on Windows).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use operating system soft limit set by ulimit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: force_request_body_continuation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option controls how Squid handles data upload requests from HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and FTP agents that require a "Please Continue" control message response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to actually send the request body to Squid. It is mostly useful in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation environments.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When Squid receives an HTTP request with an "Expect: 100-continue"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# header or an FTP upload command (e.g., STOR), Squid normally sends the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request headers or FTP command information to an adaptation service (or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# peer) and waits for a response. Most adaptation services (and some
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# broken peers) may not respond to Squid at that stage because they may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# decide to wait for the HTTP request body or FTP data transfer. However,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that request body or data transfer may never come because Squid has not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# responded with the HTTP 100 or FTP 150 (Please Continue) control message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to the request sender yet!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An allow match tells Squid to respond with the HTTP 100 or FTP 150
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (Please Continue) control message on its own, before forwarding the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request to an adaptation service or peer. Such a response usually forces
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the request sender to proceed with sending the body. A deny match tells
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid to delay that control response until the origin server confirms
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# that the request body is needed. Delaying is the default behavior.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny, unless rules exist in squid.conf.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: server_pconn_for_nonretriable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option provides fine-grained control over persistent connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reuse when forwarding HTTP requests that Squid cannot retry. It is useful
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in environments where opening new connections is very expensive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (e.g., all connections are secured with TLS with complex client and server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificate validation) and race conditions associated with persistent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections are very rare and/or only cause minor problems.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# HTTP prohibits retrying unsafe and non-idempotent requests (e.g., POST).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid limitations also prohibit retrying all requests with bodies (e.g., PUT).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, when forwarding such "risky" requests, Squid opens a new
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection to the server or cache_peer, even if there is an idle persistent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection available. When Squid is configured to risk sending a non-retriable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request on a previously used persistent connection, and the server closes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the connection before seeing that risky request, the user gets an error response
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# from Squid. In most cases, that error response will be HTTP 502 (Bad Gateway)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with ERR_ZERO_SIZE_OBJECT or ERR_WRITE_ERROR (peer connection reset) error detail.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If an allow rule matches, Squid reuses an available idle persistent connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (if any) for the request that Squid cannot retry. If a deny rule matches, then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid opens a new connection for the request that Squid cannot retry.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option does not affect requests that Squid can retry. They will reuse idle
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# persistent connections (if any).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl SpeedIsWorthTheRisk method POST
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server_pconn_for_nonretriable allow SpeedIsWorthTheRisk
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Open new connections for forwarding requests Squid cannot retry safely.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span></pre><pre style='margin:0'>
</pre>