зам.Шматко
Группа: Участник
Сообщений: 964
Регистрация: 18.02.2005
Пользователь №: 6646
|
Товарищи линуксоиды, помогите настроить сквид на ALT Linux. Задача такая-пускать учеников через проксю с контентной фильтрацией. Итак, имеется: компьютер, который будет выполнять функцию прокси с установленной ОС ALT Linux Junior (5.0.0), установленный сквид 3 версии и 2 сетевой карты с настройками: Eth0 (внешняя сеть): 192.168.9.2 , 192.168.9.1, 255.255.255.0 (dns нет) Eth1(внутренняя сеть): 192.168.0.1, 255.255.255.0 Доступ в интернет с компьютера-сервера осуществляется через прокси-сервер управления образования: 192.168.1.3:8080 Где что раскомментировать и изменить? » Показать/скрыть спойлер... « [quote]# WELCOME TO SQUID 3.0.STABLE13 # ---------------------------- # # This is the default Squid configuration file. You may wish # to look at the Squid home page (http://www.squid-cache.org/) # for the FAQ and other documentation. # # The default Squid config file shows what the defaults for # various options happen to be. If you don't need to change the # default, you shouldn't uncomment the line. Doing so may cause # run-time problems. In some cases "none" refers to no default # setting at all, while in other cases it refers to a valid # option - the comments for that keyword indicate if this is the # case. #
# Configuration options can be included using the "include" directive. # Include takes a list of files to include. Quoting and wildcards is # supported. # # For example, # # include /path/to/included/file/squid.acl.config # # Includes can be nested up to a hard-coded depth of 16 levels. # This arbitrary restriction is to prevent recursive include references # from causing Squid entering an infinite loop whilst trying to load # configuration files.
# OPTIONS FOR AUTHENTICATION # -----------------------------------------------------------------------------
# TAG: auth_param # This is used to define parameters for the various authentication # schemes supported by Squid. # # format: auth_param scheme parameter [setting] # # The order in which authentication schemes are presented to the client is # dependent on the order the scheme first appears in config file. IE # has a bug (it's not RFC 2617 compliant) in that it will use the basic # scheme if basic is the first entry presented, even if more secure # schemes are presented. For now use the order in the recommended # settings section below. If other browsers have difficulties (don't # recognize the schemes offered even if you are using basic) either # put basic first, or disable the other schemes (by commenting out their # program entry). # # Once an authentication scheme is fully configured, it can only be # shutdown by shutting squid down and restarting. Changes can be made on # the fly and activated with a reconfigure. I.E. You can change to a # different helper, but not unconfigure the helper completely. # # Please note that while this directive defines how Squid processes # authentication it does not automatically activate authentication. # To use authentication you must in addition make use of ACLs based # on login name in http_access (proxy_auth, proxy_auth_regex or # external with %LOGIN used in the format tag). The browser will be # challenged for authentication on the first such acl encountered # in http_access processing and will also be re-challenged for new # login credentials if the request is being denied by a proxy_auth # type acl. # # WARNING: authentication can't be used in a transparently intercepting # proxy as the client then thinks it is talking to an origin server and # not the proxy. This is a limitation of bending the TCP/IP protocol to # transparently intercepting port 80, not a limitation in Squid. # Ports flagged 'transparent' or 'tproxy' have authentication disabled. # # === Parameters for the basic scheme follow. === # # "program" cmdline # Specify the command for the external authenticator. Such a program # reads a line containing "username password" and replies "OK" or # "ERR" in an endless loop. "ERR" responses may optionally be followed # by a error description available as %m in the returned error page. # If you use an authenticator, make sure you have 1 acl of type proxy_auth. # # By default, the basic authentication scheme is not used unless a # program is specified. # # If you want to use the traditional NCSA proxy authentication, set # this line to something like # # auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd # # "children" numberofchildren # The number of authenticator processes to spawn. If you start too few # Squid will have to wait for them to process a backlog of credential # verifications, slowing it down. When password verifications are # done via a (slow) network you are likely to need lots of # authenticator processes. # auth_param basic children 5 # # "concurrency" concurrency # The number of concurrent requests the helper can process. # The default of 0 is used for helpers who only supports # one request at a time. Setting this changes the protocol used to # include a channel number first on the request/response line, allowing # multiple requests to be sent to the same helper in parallell without # wating for the response. # Must not be set unless it's known the helper supports this. # auth_param basic concurrency 0 # # "realm" realmstring # Specifies the realm name which is to be reported to the # client for the basic proxy authentication scheme (part of # the text the user will see when prompted their username and # password). There is no default. # auth_param basic realm Squid proxy-caching web server # # "credentialsttl" timetolive # Specifies how long squid assumes an externally validated # username:password pair is valid for - in other words how # often the helper program is called for that user. Set this # low to force revalidation with short lived passwords. Note # setting this high does not impact your susceptibility # to replay attacks unless you are using an one-time password # system (such as SecureID). If you are using such a system, # you will be vulnerable to replay attacks unless you also # use the max_user_ip ACL in an http_access rule. # # "casesensitive" on|off # Specifies if usernames are case sensitive. Most user databases are # case insensitive allowing the same username to be spelled using both # lower and upper case letters, but some are case sensitive. This # makes a big difference for user_max_ip ACL processing and similar. # auth_param basic casesensitive off # # === Parameters for the digest scheme follow === # # "program" cmdline # Specify the command for the external authenticator. Such # a program reads a line containing "username":"realm" and # replies with the appropriate H(A1) value hex encoded or # ERR if the user (or his H(A1) hash) does not exists. # See rfc 2616 for the definition of H(A1). # "ERR" responses may optionally be followed by a error description # available as %m in the returned error page. # # By default, the digest authentication scheme is not used unless a # program is specified. # # If you want to use a digest authenticator, set this line to # something like # # auth_param digest program /usr/bin/digest_auth_pw -c /usr/etc/digpass # # "children" numberofchildren # The number of authenticator processes to spawn (no default). # If you start too few Squid will have to wait for them to # process a backlog of H(A1) calculations, slowing it down. # When the H(A1) calculations are done via a (slow) network # you are likely to need lots of authenticator processes. # auth_param digest children 5 # # "realm" realmstring # Specifies the realm name which is to be reported to the # client for the digest proxy authentication scheme (part of # the text the user will see when prompted their username and # password). There is no default. # auth_param digest realm Squid proxy-caching web server # # "nonce_garbage_interval" timeinterval # Specifies the interval that nonces that have been issued # to client_agent's are checked for validity. # # "nonce_max_duration" timeinterval # Specifies the maximum length of time a given nonce will be # valid for. # # "nonce_max_count" number # Specifies the maximum number of times a given nonce can be # used. # # "nonce_strictness" on|off # Determines if squid requires strict increment-by-1 behavior # for nonce counts, or just incrementing (off - for use when # useragents generate nonce counts that occasionally miss 1 # (ie, 1,2,4,6)). Default off. # # "check_nonce_count" on|off # This directive if set to off can disable the nonce count check # completely to work around buggy digest qop implementations in # certain mainstream browser versions. Default on to check the # nonce count to protect from authentication replay attacks. # # "post_workaround" on|off # This is a workaround to certain buggy browsers who sends # an incorrect request digest in POST requests when reusing # the same nonce as acquired earlier on a GET request. # # === NTLM scheme options follow === # # "program" cmdline # Specify the command for the external NTLM authenticator. # Such a program reads exchanged NTLMSSP packets with # the browser via Squid until authentication is completed. # If you use an NTLM authenticator, make sure you have 1 acl # of type proxy_auth. By default, the NTLM authenticator_program # is not used. # # auth_param ntlm program /usr/bin/ntlm_auth # # "children" numberofchildren # The number of authenticator processes to spawn (no default). # If you start too few Squid will have to wait for them to # process a backlog of credential verifications, slowing it # down. When credential verifications are done via a (slow) # network you are likely to need lots of authenticator # processes. # # auth_param ntlm children 5 # # "keep_alive" on|off # If you experience problems with PUT/POST requests when using the # Negotiate authentication scheme then you can try setting this to # off. This will cause Squid to forcibly close the connection on # the initial requests where the browser asks which schemes are # supported by the proxy. # # auth_param ntlm keep_alive on # # === Options for configuring the NEGOTIATE auth-scheme follow === # # "program" cmdline # Specify the command for the external Negotiate authenticator. # This protocol is used in Microsoft Active-Directory enabled setups with # the Microsoft Internet Explorer or Mozilla Firefox browsers. # Its main purpose is to exchange credentials with the Squid proxy # using the Kerberos mechanisms. # If you use a Negotiate authenticator, make sure you have at least one acl # of type proxy_auth active. By default, the negotiate authenticator_program # is not used. # The only supported program for this role is the ntlm_auth # program distributed as part of Samba, version 4 or later. # # auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego # # "children" numberofchildren # The number of authenticator processes to spawn (no default). # If you start too few Squid will have to wait for them to # process a backlog of credential verifications, slowing it # down. When crendential verifications are done via a (slow) # network you are likely to need lots of authenticator # processes. # auth_param negotiate children 5 # # "keep_alive" on|off # If you experience problems with PUT/POST requests when using the # Negotiate authentication scheme then you can try setting this to # off. This will cause Squid to forcibly close the connection on # the initial requests where the browser asks which schemes are # supported by the proxy. # # auth_param negotiate keep_alive on # #Recommended minimum configuration per scheme: #auth_param negotiate program <uncomment and complete this line to activate> #auth_param negotiate children 5 #auth_param negotiate keep_alive on #auth_param ntlm program <uncomment and complete this line to activate> #auth_param ntlm children 5 #auth_param ntlm keep_alive on #auth_param digest program <uncomment and complete this line> #auth_param digest children 5 #auth_param digest realm Squid proxy-caching web server #auth_param digest nonce_garbage_interval 5 minutes #auth_param digest nonce_max_duration 30 minutes #auth_param digest nonce_max_count 50 auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd #auth_param basic children 5 #auth_param basic realm Squid proxy-caching web server #auth_param basic credentialsttl 2 hours
# TAG: authenticate_cache_garbage_interval # The time period between garbage collection across the username cache. # This is a tradeoff between memory utilization (long intervals - say # 2 days) and CPU (short intervals - say 1 minute). Only change if you # have good reason to. # #Default: # authenticate_cache_garbage_interval 1 hour
# TAG: authenticate_ttl # The time a user & their credentials stay in the logged in # user cache since their last request. When the garbage # interval passes, all user credentials that have passed their # TTL are removed from memory. # #Default: # authenticate_ttl 1 hour
# TAG: authenticate_ip_ttl # If you use proxy authentication and the 'max_user_ip' ACL, # this directive controls how long Squid remembers the IP # addresses associated with each user. Use a small value # (e.g., 60 seconds) if your users might change addresses # quickly, as is the case with dialups. You might be safe # using a larger value (e.g., 2 hours) in a corporate LAN # environment with relatively static address assignments. # #Default: # authenticate_ip_ttl 0 seconds
# ACCESS CONTROLS # -----------------------------------------------------------------------------
# TAG: external_acl_type # This option defines external acl classes using a helper program # to look up the status # # external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] # # Options: # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) # children=n Number of acl helper processes spawn to service # external acl lookups of this type. (default 5) # concurrency=n concurrency level per process. Only used with helpers # capable of processing more than one query at a time. # cache=n result cache size, 0 is unbounded (default) # grace=n Percentage remaining of TTL where a refresh of a # cached entry should be initiated without needing to # wait for a new reply. (default 0 for no grace period) # protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers # # FORMAT specifications # # %LOGIN Authenticated user login name # %EXT_USER Username from external acl # %IDENT Ident user name # %SRC Client IP # %SRCPORT Client source port # %URI Requested URI # %DST Requested host # %PROTO Requested protocol # %PORT Requested port # %PATH Requested URL path # %METHOD Request method # %MYADDR Squid interface address # %MYPORT Squid http_port number # %PATH Requested URL-path (including query-string if any) # %USER_CERT SSL User certificate in PEM format # %USER_CERTCHAIN SSL User certificate chain in PEM format # %USER_CERT_xx SSL User certificate subject attribute xx # %USER_CA_xx SSL User certificate issuer attribute xx # %{Header} HTTP request header # %{Hdr:member} HTTP request header list member # %{Hdr:;member} # HTTP request header list member using ; as # list separator. ; can be any non-alphanumeric # character. # # In addition to the above, any string specified in the referencing # acl will also be included in the helper request line, after the # specified formats (see the "acl external" directive) # # The helper receives lines per the above format specification, # and returns lines starting with OK or ERR indicating the validity # of the request and optionally followed by additional keywords with # more details. # # General result syntax: # # OK/ERR keyword=value ... # # Defined keywords: # # user= The users name (login) # password= The users password (for login= cache_peer option) # message= Message describing the reason. Available as %o # in error pages # tag= Apply a tag to a request (for both ERR and OK results) # Only sets a tag, does not alter existing tags. # log= String to be logged in access.log. Available as # %ea in logformat specifications # # If protocol=3.0 (the default) then URL escaping is used to protect # each value in both requests and responses. # # If using protocol=2.5 then all values need to be enclosed in quotes # if they may contain whitespace, or the whitespace escaped using \. # And quotes or \ characters within the keyword value must be \ escaped. # # When using the concurrency= option the protocol is changed by # introducing a query channel tag infront of the request/response. # The query channel tag is a number between 0 and concurrency-1. # #Default: # none
# TAG: acl # Defining an Access List # # Every access list definition must begin with an aclname and acltype, # followed by either type-specific arguments or a quoted filename that # they are read from. # # acl aclname acltype argument ... # acl aclname acltype "file" ... # # When using "file", the file should contain one item per line. # # By default, regular expressions are CASE-SENSITIVE. To make # them case-insensitive, use the -i option. # # # ***** ACL TYPES AVAILABLE ***** # # acl aclname src ip-address/netmask ... # clients IP address # acl aclname src addr1-addr2/netmask ... # range of addresses # acl aclname dst ip-address/netmask ... # URL host's IP address # acl aclname myip ip-address/netmask ... # local socket IP address # # acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) # # The arp ACL requires the special configure option --enable-arp-acl. # # Furthermore, the ARP ACL code is not portable to all operating systems. # # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants. # # # # NOTE: Squid can only determine the MAC address for clients that are on # # the same subnet. If the client is on a different subnet, then Squid cannot # # find out its MAC address. # # acl aclname srcdomain .foo.com ... # reverse lookup, from client IP # acl aclname dstdomain .foo.com ... # Destination server from URL # acl aclname srcdom_regex [-i] \.foo\.com ... # regex matching client name # acl aclname dstdom_regex [-i] \.foo\.com ... # regex matching server # # For dstdomain and dstdom_regex a reverse lookup is tried if a IP # # based URL is used and no match is found. The name "none" is used # # if the reverse lookup fails. # # acl aclname src_as number ... # acl aclname dst_as number ... # # Except for access control, AS numbers can be used for # # routing of requests to specific caches. Here's an # # example for routing all requests for AS#1241 and only # # those to mycache.mydomain.net: # # acl asexample dst_as 1241 # # cache_peer_access mycache.mydomain.net allow asexample # # cache_peer_access mycache_mydomain.net deny all # # acl aclname time [day-abbrevs] [h1:m1-h2:m2] # # day-abbrevs: # # S - Sunday # # M - Monday # # T - Tuesday # # W - Wednesday # # H - Thursday # # F - Friday # # A - Saturday # # h1:m1 must be less than h2:m2 # # acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL # acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path # # acl aclname port 80 70 21 ... # acl aclname port 0-1024 ... # ranges allowed # acl aclname myport 3128 ... # (local socket TCP port) # acl aclname myportname 3128 ... # http(s)_port name # # acl aclname proto HTTP FTP ... # # acl aclname method GET POST ... # # acl aclname http_status 200 301 500- 400-403 ... # status code in reply # # acl aclname browser [-i] regexp ... # # pattern match on User-Agent header (see also req_header below) # # acl aclname referer_regex [-i] regexp ... # # pattern match on Referer header # # Referer is highly unreliable, so use with care # # acl aclname ident username ... # acl aclname ident_regex [-i] pattern ... # # string match on ident output. # # use REQUIRED to accept any non-null ident. # # acl aclname proxy_auth [-i] username ... # acl aclname proxy_auth_regex [-i] pattern ... # # list of valid usernames # # use REQUIRED to accept any valid username. # # # # NOTE: when a Proxy-Authentication header is sent but it is not # # needed during ACL checking the username is NOT logged # # in access.log. # # # # NOTE: proxy_auth requires a EXTERNAL authentication program # # to check username/password combinations (see # # auth_param directive). # # # # NOTE: proxy_auth can't be used in a transparent/intercepting proxy # # as the browser needs to be configured for using a proxy in order # # to respond to proxy authentication. # # acl aclname snmp_community string ... # # A community string to limit access to your SNMP Agent # # Example: # # # # acl snmppublic snmp_community public # # acl aclname maxconn number # # This will be matched when the client's IP address has # # more than <number> HTTP connections established. # # acl aclname max_user_ip [-s] number # # This will be matched when the user attempts to log in from more # # than <number> different ip addresses. The authenticate_ip_ttl # # parameter controls the timeout on the ip entries. # # If -s is specified the limit is strict, denying browsing # # from any further IP addresses until the ttl has expired. Without # # -s Squid will just annoy the user by "randomly" denying requests. # # (the counter is reset each time the limit is reached and a # # request is denied) # # NOTE: in acceleration mode or where there is mesh of child proxies, # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. # # acl aclname req_mime_type [-i] mime-type ... # # regex match against the mime type of the request generated # # by the client. Can be used to detect file upload or some # # types HTTP tunneling requests. # # NOTE: This does NOT match the reply. You cannot use this # # to match the returned file type. # # acl aclname req_header header-name [-i] any\.regex\.here # # regex match against any of the known request headers. May be # # thought of as a superset of "browser", "referer" and "mime-type" # # ACLs. # # acl aclname rep_mime_type [-i] mime-type ... # # regex match against the mime type of the reply received by # # squid. Can be used to detect file download or some # # types HTTP tunneling requests. # # NOTE: This has no effect in http_access rules. It only has # # effect in rules that affect the reply data stream such as # # http_reply_access. # # acl aclname rep_header header-name [-i] any\.regex\.here # # regex match against any of the known reply headers. May be # # thought of as a superset of "browser", "referer" and "mime-type" # # ACLs. # # acl aclname external class_name [arguments...] # # external ACL lookup via a helper class defined by the # # external_acl_type directive. # # acl aclname user_cert attribute values... # # match against attributes in a user SSL certificate # # attribute is one of DN/C/O/CN/L/ST # # acl aclname ca_cert attribute values... # # match against attributes a users issuing CA SSL certificate # # attribute is one of DN/C/O/CN/L/ST # # acl aclname ext_user username ... # acl aclname ext_user_regex [-i] pattern ... # # string match on username returned by external acl helper # # use REQUIRED to accept any non-null user name. # #Examples: #acl macaddress arp 09:00:2b:23:45:67 #acl myexample dst_as 1241 acl password proxy_auth REQUIRED #acl fileupload req_mime_type -i ^multipart/form-data$ #acl javascript rep_mime_type -i ^application/x-javascript$ # #Default: # acl all src all # #Recommended minimum configuration: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network # acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl Rsync_ports port 873 acl Jabber_ports port 5222 5223 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 563 # snews acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl CONNECT method CONNECT
# TAG: http_access # Allowing or Denying access based on defined access lists # # Access to the HTTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: # # If there are no "access" lines present, the default is to deny # the request. # # If none of the "access" lines cause a match, the default is the # opposite of the last line in the list. If the last line was # deny, the default is allow. Conversely, if the last line # is allow, the default will be deny. For these reasons, it is a # good idea to have an "deny all" or "allow all" entry at the end # of your access lists to avoid potential confusion. # #Default: http_access allow # #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports !Jabber_ports !Rsync_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS http_access allow password
# Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet
#http_access allow localhost # And finally deny all other access to this proxy http_access allow
# TAG: http_reply_access # Allow replies to client requests. This is complementary to http_access. # # http_reply_access allow|deny [!] aclname ... # # NOTE: if there are no access lines present, the default is to allow # all replies # # If none of the access lines cause a match the opposite of the # last line will apply. Thus it is good practice to end the rules # with an "allow all" or "deny all" entry. # #Default: # none
# TAG: icp_access # Allowing or Denying access to the ICP port based on defined # access lists # # icp_access allow|deny [!]aclname ... # # See http_access for details # #Default: # icp_access allow # #Allow ICP queries from local networks only icp_access allow localnet icp_access deny all
# TAG: htcp_access # Allowing or Denying access to the HTCP port based on defined # access lists # # htcp_access allow|deny [!]aclname ... # # See http_access for details # # NOTE: The default if no htcp_access lines are present is to # deny all traffic. This default may cause problems with peers # using the htcp or htcp-oldsquid options. # #Default: # htcp_access deny all # #Allow HTCP queries from local networks only htcp_access allow localnet htcp_access deny all
# TAG: htcp_clr_access # Allowing or Denying access to purge content using HTCP based # on defined access lists # # htcp_clr_access allow|deny [!]aclname ... # # See http_access for details # ##Allow HTCP CLR requests from trusted peers #acl htcp_clr_peer src 172.16.1.2 #htcp_clr_access allow htcp_clr_peer # #Default: # htcp_clr_access deny all
# TAG: miss_access # Use to force your neighbors to use you as a sibling instead of # a parent. For example: # # acl localclients src 172.16.0.0/16 # miss_access allow localclients # miss_access deny !localclients # # This means only your local clients are allowed to fetch # MISSES and all other clients can only fetch HITS. # # By default, allow all clients who passed the http_access rules # to fetch MISSES from us. # #Default setting: # miss_access allow all
# TAG: ident_lookup_access # A list of ACL elements which, if matched, cause an ident # (RFC 931) lookup to be performed for this request. For # example, you might choose to always perform ident lookups # for your main multi-user Unix boxes, but not for your Macs # and PCs. By default, ident lookups are not performed for # any requests. # # To enable ident lookups for specific client addresses, you # can follow this example: # # acl ident_aware_hosts src 198.168.1.0/255.255.255.0 # ident_lookup_access allow ident_aware_hosts # ident_lookup_access deny all # # Only src type ACL checks are fully supported. A src_domain # ACL might work at times, but it will not always provide # the correct result. # #Default: # ident_lookup_access deny all
# TAG: reply_body_max_size size [acl acl...] # This option specifies the maximum size of a reply body. It can be # used to prevent users from downloading very large files, such as # MP3's and movies. When the reply headers are received, the # reply_body_max_size lines are processed, and the first line where # all (if any) listed ACLs are true is used as the maximum body size # for this reply. # # This size is checked twice. First when we get the reply headers, # we check the content-length value. If the content length value exists # and is larger than the allowed size, the request is denied and the # user receives an error message that says "the request or reply # is too large." If there is no content-length, and the reply # size exceeds this limit, the client's connection is just closed # and they will receive a partial reply. # # WARNING: downstream caches probably can not detect a partial reply # if there is no content-length header, so they will cache # partial responses and give them out as hits. You should NOT # use this option if you have downstream caches. # # WARNING: A maximum size smaller than the size of squid's error messages # will cause an infinite loop and crash squid. Ensure that the smallest # non-zero value you use is greater that the maximum header size plus # the size of your largest error page. # # If you set this parameter none (the default), there will be # no limit imposed. # # Configuration Format is: # reply_body_max_size SIZE UNITS [acl ...] # ie. # reply_body_max_size 10 MB # # #Default: # none
# NETWORK OPTIONS # -----------------------------------------------------------------------------
# TAG: http_port # Usage: port [options] # hostname:port [options] # 1.2.3.4:port [options] # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, Squid binds the socket to that specific # address. This replaces the old 'tcp_incoming_address' # option. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # If you are running Squid in accelerator mode, you # probably want to listen on port 80 also, or instead. # # The -a command line option may be used to specify additional # port(s) where Squid listens for proxy request. Such ports will # be plain proxy ports with no options. # # You may specify multiple socket addresses on multiple lines. # # Options: # # transparent Support for transparent interception of # outgoing requests without browser settings. # NP: disables authentication on the port. # # tproxy Support Linux TPROXY for spoofing outgoing # connections using the client IP address. # NP: disables authentication on the port. # # accel Accelerator mode. Also needs at least one of # vhost / vport / defaultsite. # # defaultsite=domainname # What to use for the Host: header if it is not present # in a request. Determines what site (not origin server) # accelerators should consider the default. # Implies accel. # # vhost Accelerator mode using Host header for virtual # domain support. Implies accel. # # vport Accelerator with IP based virtual host support. # Implies accel. # # vport=NN As above, but uses specified port number rather # than the http_port number. Implies accel. # # protocol= Protocol to reconstruct accelerated requests with. # Defaults to http. # # disable-pmtu-discovery= # Control Path-MTU discovery usage: # off lets OS decide on what to do (default). # transparent disable PMTU discovery when transparent # support is enabled. # always disable always PMTU discovery. # # In many setups of transparently intercepting proxies # Path-MTU discovery can not work on traffic towards the # clients. This is the case when the intercepting device # does not fully track connections and fails to forward # ICMP must fragment messages to the cache server. If you # have such setup and experience that certain clients # sporadically hang or never complete requests set # disable-pmtu-discovery option to 'transparent'. # # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # # If you run Squid on a dual-homed machine with an internal # and an external interface we recommend you to specify the # internal address:port in http_port. This way Squid will only be # visible on the internal address. # # Squid normally listens to port 3128 http_port 3128
# TAG: https_port # Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] # # The socket address where Squid will listen for HTTPS client # requests. # # This is really only useful for situations where you are running # squid in accelerator mode and you want to do the SSL work at the # accelerator level. # # You may specify multiple socket addresses on multiple lines, # each with their own SSL certificate and/or options. # # Options: # # accel Accelerator mode. Also needs at least one of # defaultsite or vhost. # # defaultsite= The name of the https site presented on # this port. Implies accel. # # vhost Accelerator mode using Host header for virtual # domain support. Requires a wildcard certificate # or other certificate valid for more than one domain. # Implies accel. # # protocol= Protocol to reconstruct accelerated requests with. # Defaults to https. # # cert= Path to SSL certificate (PEM format). # # key= Path to SSL private key file (PEM format) # if not specified, the certificate file is # assumed to be a combined certificate and # key file. # # version= The version of SSL/TLS supported # 1 automatic (default) # 2 SSLv2 only # 3 SSLv3 only # 4 TLSv1 only # # cipher= Colon separated list of supported ciphers. # # options= Various SSL engine options. The most important # being: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 # SINGLE_DH_USE Always create a new key when using # temporary/ephemeral DH key exchanges # See src/ssl_support.c or OpenSSL SSL_CTX_set_options # documentation for a complete list of options. # # clientca= File containing the list of CAs to use when # requesting a client certificate. # # cafile= File containing additional CA certificates to # use when verifying client certificates. If unset # clientca will be used. # # capath= Directory containing additional CA certificates # and CRL lists to use when verifying client certificates. # # crlfile= File of additional CRL lists to use when verifying # the client certificate, in addition to CRLs stored in # the capath. Implies VERIFY_CRL flag below. # # dhparams= File containing DH parameters for temporary/ephemeral # DH key exchanges. # # sslflags= Various flags modifying the use of SSL: # DELAYED_AUTH # Don't request client certificates # immediately, but wait until acl processing # requires a certificate (not yet implemented). # NO_DEFAULT_CA # Don't use the default CA lists built in # to OpenSSL. # NO_SESSION_REUSE # Don't allow for session reuse. Each connection # will result in a new SSL session. # VERIFY_CRL # Verify CRL lists when accepting client # certificates. # VERIFY_CRL_ALL # Verify CRL lists for all certificates in the # client certificate chain. # # sslcontext= SSL session ID context identifier. # # vport Accelerator with IP based virtual host support. # # vport=NN As above, but uses specified port number rather # than the https_port number. Implies accel. # # name= Specifies a internal name for the port. Defaults to # the port specification (port or addr:port) # # #Default: # none
# TAG: tcp_outgoing_tos # Allows you to select a TOS/Diffserv value to mark outgoing # connections with, based on the username or source address # making the request. # # tcp_outgoing_tos ds-field [!]aclname ... # # Example where normal_service_net uses the TOS value 0x00 # and normal_service_net uses 0x20 # # acl normal_service_net src 10.0.0.0/255.255.255.0 # acl good_service_net src 10.0.1.0/255.255.255.0 # tcp_outgoing_tos 0x00 normal_service_net # tcp_outgoing_tos 0x20 good_service_net # # TOS/DSCP values really only have local significance - so you should # know what you're specifying. For more information, see RFC2474 and # RFC3260. # # The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or # "default" to use whatever default your host has. Note that in # practice often only values 0 - 63 is usable as the two highest bits # have been redefined for use by ECN (RFC3168). # # Processing proceeds in the order specified, and stops at first fully # matching line. # # Note: The use of this directive using client dependent ACLs is # incompatible with the use of server side persistent connections. To # ensure correct results it is best to set server_persisten_connections # to off when using this directive in such configurations. # #Default: # none
# TAG: clientside_tos # Allows you to select a TOS/Diffserv value to mark client-side # connections with, based on the username or source address # making the request. # #Default: # none
# TAG: tcp_outgoing_address # Allows you to map requests to different outgoing IP addresses # based on the username or source address of the user making # the request. # # tcp_outgoing_address ipaddr [[!]aclname] ... # # Example where requests from 10.0.0.0/24 will be forwarded # with source address 10.1.0.1, 10.0.2.0/24 forwarded with # source address 10.1.0.2 and the rest will be forwarded with # source address 10.1.0.3. # # acl normal_service_net src 10.0.0.0/24 # acl good_service_net src 10.0.2.0/24 # tcp_outgoing_address 10.1.0.1 normal_service_net # tcp_outgoing_address 10.1.0.2 good_service_net # tcp_outgoing_address 10.1.0.3 # # Processing proceeds in the order specified, and stops at first fully # matching line. # # Note: The use of this directive using client dependent ACLs is # incompatible with the use of server side persistent connections. To # ensure correct results it is best to set server_persistent_connections # to off when using this directive in such configurations. # #Default: # none
# SSL OPTIONS # -----------------------------------------------------------------------------
# TAG: ssl_unclean_shutdown # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. # #Default: # ssl_unclean_shutdown off
# TAG: ssl_engine # The OpenSSL engine to use. You will need to set this if you # would like to use hardware SSL acceleration for example. # #Default: # none
# TAG: sslproxy_client_certificate # Client SSL Certificate to use when proxying https:// URLs # #Default: # none
# TAG: sslproxy_client_key # Client SSL Key to use when proxying https:// URLs # #Default: # none
# TAG: sslproxy_version # SSL version level to use when proxying https:// URLs # #Default: # sslproxy_version 1
# TAG: sslproxy_options # SSL engine options to use when proxying https:// URLs # #Default: # none
# TAG: sslproxy_cipher # SSL cipher list to use when proxying https:// URLs # #Default: # none
# TAG: sslproxy_cafile # file containing CA certificates to use when verifying server # certificates while proxying https:// URLs # #Default: # none
# TAG: sslproxy_capath # directory containing CA certificates to use when verifying # server certificates while proxying https:// URLs # #Default: # none
# TAG: sslproxy_flags # Various flags modifying the use of SSL while proxying https:// URLs: # DONT_VERIFY_PEER Accept certificates even if they fail to # verify. # NO_DEFAULT_CA Don't use the default CA list built in # to OpenSSL. # #Default: # none
# TAG: sslpassword_program # Specify a program used for entering SSL key passphrases # when using encrypted SSL certificate keys. If not specified # keys must either be unencrypted, or Squid started with the -N # option to allow it to query interactively for the passphrase. # #Default: # none
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # -----------------------------------------------------------------------------
# TAG: cache_peer # To specify other caches in a hierarchy, use the format: # # cache_peer hostname type http-port icp-port [options] # # For example, # # # proxy icp # # hostname type port port options # # -------------------- -------- ----- ----- ----------- # cache_peer parent.foo.net parent 3128 3130 proxy-only default # cache_peer sib1.foo.net sibling 3128 3130 proxy-only # cache_peer sib2.foo.net sibling 3128 3130 proxy-only # # type: either 'parent', 'sibling', or 'multicast'. # # proxy-port: The port number where the cache listens for proxy # requests. # # icp-port: Used for querying neighbor caches about # objects. To have a non-ICP neighbor # specify '7' for the ICP port and make sure the # neighbor machine has the UDP echo port # enabled in its /etc/inetd.conf file. # NOTE: Also requires icp_port option enabled to send/receive # requests via this method. # # options: proxy-only # weight=n # basetime=n # ttl=n # no-query # background-ping # default # round-robin # weighted-round-robin # carp # userhash # sourcehash # multicast-responder # closest-only # no-digest # no-netdb-exchange # no-delay # login=user:password | PASS | *:password # connect-timeout=nn # digest-url=url # allow-miss # max-conn=n # htcp # htcp-oldsquid # originserver # name=xxx # forceddomain=name # ssl # sslcert=/path/to/ssl/certificate # sslkey=/path/to/ssl/key # sslversion=1|2|3|4 # sslcipher=... # ssloptions=... # front-end-https[=on|auto] # # use 'proxy-only' to specify objects fetched # from this cache should not be saved locally. # # use 'weight=n' to affect the selection of a peer # during any weighted peer-selection mechanisms. # The weight must be an integer; default is 1, # larger weights are favored more. # This option does not affect parent selection if a peering # protocol is not in use. # # use 'basetime=n' to specify a base amount to # be subtracted from round trip times of parents. # It is subtracted before division by weight in calculating # which parent to fectch from. If the rtt is less than the # base time the rtt is set to a minimal value. # # use 'ttl=n' to specify a IP multicast TTL to use # when sending an ICP queries to this address. # Only useful when sending to a multicast group. # Because we don't accept ICP replies from random # hosts, you must configure other group members as # peers with the 'multicast-responder' option below. # # use 'no-query' to NOT send ICP queries to this # neighbor. # # use 'background-ping' to only send ICP queries to this # neighbor infrequently. This is used to keep the neighbor # round trip time updated and is usually used in # conjunction with weighted-round-robin. # # use 'default' if this is a parent cache which can # be used as a "last-resort" if a peer cannot be located # by any of the peer-selection mechanisms. # If specified more than once, only the first is used. # # use 'round-robin' to define a set of parents which # should be used in a round-robin fashion in the # absence of any ICP queries. # # use 'weighted-round-robin' to define a set of parents # which should be used in a round-robin fashion with the # frequency of each parent being based on the round trip # time. Closer parents are used more often. # Usually used for background-ping parents. # # use 'carp' to define a set of parents which should # be used as a CARP array. The requests will be # distributed among the parents based on the CARP load # balancing hash function based on their weight. # # use 'userhash' to load-balance amongst a set of parents # based on the client proxy_auth or ident username. # # use 'sourcehash' to load-balance amongst a set of parents # based on the client source ip. # # 'multicast-responder' indicates the named peer # is a member of a multicast group. ICP queries will # not be sent directly to the peer, but ICP replies # will be accepted from it. # # 'closest-only' indicates that, for ICP_OP_MISS # replies, we'll only forward CLOSEST_PARENT_MISSes # and never FIRST_PARENT_MISSes. # # use 'no-digest' to NOT request cache digests from # this neighbor. # # 'no-netdb-exchange' disables requesting ICMP # RTT database (NetDB) from the neighbor. # # use 'no-delay' to prevent access to this neighbor # from influencing the delay pools. # # use 'login=user:password' if this is a personal/workgroup # proxy and your parent requires proxy authentication. # Note: The string can include URL escapes (i.e. %20 for # spaces). This also means % must be written as %%. # # use 'login=PASS' if users must authenticate against # the upstream proxy or in the case of a reverse proxy # configuration, the origin web server. This will pass # the users credentials as they are to the peer. # This only works for the Basic HTTP authentication scheme. # Note: To combine this with proxy_auth both proxies must # share the same user database as HTTP only allows for # a single login (one for proxy, one for origin server). # Also be warned this will expose your users proxy # password to the peer. USE WITH CAUTION # # use 'login=*:password' to pass the username to the # upstream cache, but with a fixed password. This is meant # to be used when the peer is in another administrative # domain, but it is still needed to identify each user. # The star can optionally be followed by some extra # information which is added to the username. This can # be used to identify this proxy to the peer, similar to # the login=username:password option above. # # use 'connect-timeout=nn' to specify a peer # specific connect timeout (also see the # peer_connect_timeout directive) # # use 'digest-url=url' to tell Squid to fetch the cache # digest (if digests are enabled) for this host from # the specified URL rather than the Squid default # location. # # use 'allow-miss' to disable Squid's use of only-if-cached # when forwarding requests to siblings. This is primarily # useful when icp_hit_stale is used by the sibling. To # extensive use of this option may result in forwarding # loops, and you should avoid having two-way peerings # with this option. (for example to deny peer usage on # requests from peer by denying cache_peer_access if the # source is a peer) # # use 'max-conn=n' to limit the amount of connections Squid # may open to this peer. # # use 'htcp' to send HTCP, instead of ICP, queries # to the neighbor. You probably also want to # set the "icp port" to 4827 instead of 3130. # You MUST also set htcp_access expicitly. The default of # deny all will prevent peer traffic. # # use 'htcp-oldsquid' to send HTCP to old Squid versions # You MUST also set htcp_access expicitly. The default of # deny all will prevent peer traffic. # # 'originserver' causes this parent peer to be contacted as # a origin server. Meant to be used in accelerator setups. # # use 'name=xxx' if you have multiple peers on the same # host but different ports. This name can be used to # differentiate the peers in cache_peer_access and similar # directives. # # use 'forceddomain=name' to forcibly set the Host header # of requests forwarded to this peer. Useful in accelerator # setups where the server (peer) expects a certain domain # name and using redirectors to feed this domain name # is not feasible. # # use 'ssl' to indicate connections to this peer should # be SSL/TLS encrypted. # # use 'sslcert=/path/to/ssl/certificate' to specify a client # SSL certificate to use when connecting to this peer. # # use 'sslkey=/path/to/ssl/key' to specify the private SSL # key corresponding to sslcert above. If 'sslkey' is not # specified 'sslcert' is assumed to reference a # combined file containing both the certificate and the key. # # use sslversion=1|2|3|4 to specify the SSL version to use # when connecting to this peer # 1 = automatic (default) # 2 = SSL v2 only # 3 = SSL v3 only # 4 = TLS v1 only # # use sslcipher=... to specify the list of valid SSL ciphers # to use when connecting to this peer. # # use ssloptions=... to specify various SSL engine options: # NO_SSLv2 Disallow the use of SSLv2 # NO_SSLv3 Disallow the use of SSLv3 # NO_TLSv1 Disallow the use of TLSv1 # See src/ssl_support.c or the OpenSSL documentation for # a more complete list. # # use sslcafile=... to specify a file containing # additional CA certificates to use when verifying the # peer certificate. # # use sslcapath=... to specify a directory containing # additional CA certificates to use when verifying the # peer certificate. # # use sslcrlfile=... to specify a certificate revocation # list file to use when verifying the peer certificate. # # use sslflags=... to specify various flags modifying the # SSL implementation: # DONT_VERIFY_PEER # Accept certificates even if they fail to # verify. # NO_DEFAULT_CA # Don't use the default CA list built in # to OpenSSL. # DONT_VERIFY_DOMAIN # Don't verify the peer certificate # matches the server name # # use ssldomain= to specify the peer name as advertised # in it's certificate. Used for verifying the correctness # of the received peer certificate. If not specified the # peer hostname will be used. # # use front-end-https to enable the "Front-End-Https: On" # header needed when using Squid as a SSL frontend in front # of Microsoft OWA. See MS KB document Q307347 for details # on this header. If set to auto the header will # only be added if the request is forwarded as a https:// # URL. # #Default: # none
# TAG: cache_peer_domain # Use to limit the domains for which a neighbor cache will be # queried. Usage: # # cache_peer_domain cache-host domain [domain ...] # cache_peer_domain cache-host !domain # # For example, specifying # # cache_peer_domain parent.foo.net .edu # # has the effect such that UDP query packets are sent to # 'bigserver' only when the requested object exists on a # server in the .edu domain. Prefixing the domainname # with '!' means the cache will be queried for objects # NOT in that domain. # # NOTE: * Any number of domains may be given for a cache-host, # either on the same or separate lines. # * When multiple domains are given for a particular # cache-host, the first matched domain is applied. # * Cache hosts with no domain restrictions are queried # for all requests. # * There are no defaults. # * There is also a 'cache_peer_access' tag in the ACL # section. # #Default: # none
# TAG: cache_peer_access # Similar to 'cache_peer_domain' but provides more flexibility by # using ACL elements. # # cache_peer_access cache-host allow|deny [!]aclname ... # # The syntax is identical to 'http_access' and the other lists of # ACL elements. See the comments for 'http_access' below, or # the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html). # #Default: # none
# TAG: neighbor_type_domain # usage: neighbor_type_domain neighbor parent|sibling domain domain ... # # Modifying the neighbor type for specific domains is now # possible. You can treat some domains differently than the the # default neighbor type specified on the 'cache_peer' line. # Normally it should only be necessary to list domains which # should be treated differently because the default neighbor type # applies for hostnames which do not match domains listed here. # #EXAMPLE: # cache_peer cache.foo.org parent 3128 3130 # neighbor_type_domain cache.foo.org sibling .com .net # neighbor_type_domain cache.foo.org sibling .au .de # #Default: # none
# TAG: dead_peer_timeout (seconds) # This controls how long Squid waits to declare a peer cache # as "dead." If there are no ICP replies received in this # amount of time, Squid will declare the peer dead and not # expect to receive any further ICP replies. However, it # continues to send ICP queries, and will mark the peer as # alive upon receipt of the first subsequent ICP reply. # # This timeout also affects when Squid expects to receive ICP # replies from peers. If more than 'dead_peer' seconds have # passed since the last ICP reply was received, Squid will not # expect to receive an ICP reply on the next query. Thus, if # your time between requests is greater than this timeout, you # will see a lot of requests sent DIRECT to origin servers # instead of to your parents. # #Default: # dead_peer_timeout 10 seconds
# TAG: hierarchy_stoplist # A list of words which, if found in a URL, cause the object to # be handled directly by this cache. In other words, use this # to not query neighbor caches for certain objects. You may # list this option multiple times. # Note: never_direct overrides this option. #We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ?
# MEMORY CACHE OPTIONS # -----------------------------------------------------------------------------
# TAG: cache_mem (bytes) # NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. # IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL # USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER # THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. # # 'cache_mem' specifies the ideal amount of memory to be used # for: # * In-Transit objects # * Hot Objects # * Negative-Cached objects # # Data for these objects are stored in 4 KB blocks. This # parameter specifies the ideal upper limit on the total size of # 4 KB blocks allocated. In-Transit objects take the highest # priority. # # In-transit objects have priority over the others.
Сообщение отредактировано leah - 30.08.2010 - 08:53
|
|