Home Solutions Knowledge Base FAQs E-mail Support Live Chat Buy Support

Disclaimer: This manual is NOT a Squid tutorial. It is only a reference material that provides detailed explanation of all configuration parameters available in Squid 2.6. The reader is expected to have prior knowledge of basic Squid installation and configuration. For Complete tutorial on Squid, please visit http://www.squid-cache.org

Squid 2.6 Configuration Manual NEIGHBOUR SELECTION ALGORITHM Configurations needed for communication of Squid with the neighbor caches are done under this category. cache_peer cache_peer_domain neighbor_type_domain icp_query_timeout maximum_icp_query_timeout minimum_icp_query_timeout mcast_icp_query_timeout dead_peer_timeout hierarchy_stoplist cache cache_vary broken_vary_encoding

TAG NAME                   cache_peer Description  This specifies other caches in cache hierarchy Build Option  Default Usage  cache_peer hostname type http_port icp_port [options] Default  none Synopsis This defines how to treat the neighbour peer's in cache hierarchy. This is used during inter cache communication. Arguments hostname  The cache peer to which communication is to be established type  The way how the cache peer be treated (either as 'parent', 'sibling' or 'multicast'). proxy_port  Port number where the cache listens for other peers requests. icp_port  Used for querying neighbor caches about objects. To have a non-ICP neighbor specify '7' for the ICP port and make sure the neighbour   machine has the UDP echo port - enabled in its /etc/inetd.conf file.   Options  Functions proxy-only  to specify that objects fetched from this cache should not be saved locally. weight=n  to specify a weighted parent. The weight must be an integer. The default weight is 1, larger weights are favored more. basetime=n  to specify a base amount to be subtracted from round trip times of parents. It is subtracted before division by weight in calculating    which parent to fetch from. If the rtt is less than the base time then the rtt is set to a minimal value. ttl=n  to specify a IP multicast TTL to use when sending an ICP queries to this address. Only useful when sending to a multicast group.  Because we don't accept ICP replies from random hosts, you must configure other group members as peers with the   multicast-responder' option below. no-query  NOT to send ICP queries to this neighbor. default  if this is a parent cache which can be used as a "last-resort." You should probably only use 'default' in situations where you cannot  use ICP with your parent cache(s). round-robin  to define a set of parents which should be used in a round-robin fashion in the absence of any ICP queries. multicast-responder  indicates that the named peer is a member of a multicast group.  ICP queries willnot be sent directly to the peer, but ICP replies  will be accepted from it. closest-only  indicates that, for ICP_OP_MISS replies, we'll only forward CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. no-digest  NOT to request cache digests from this neighbor. no-netdb-exchange  disables requesting ICMP RTT database (NetDB) from the neighbor. no-delay  to prevent access to this neighbor from influencing the delay pools. login=user:password  if this is a personal/workgroup proxy and your parent requires proxy authentication.  The string can include URL escapes (i.e. %20 for spaces). This also means that % must be written as %%. login=PASS  if users must authenticate against the upstream proxy. This will pass the users credentials as they are to the  peer proxy. This only works for the Basic HTTP authentication scheme.  To combine this with proxy_auth both proxies must share the same user database as HTTP only allows for  one proxy login. Also be warned that this will expose your users proxy password to the peer. USE WITH CAUTION login=*:password  to pass the username to the upstream cache, but with a fixed password. This is meant to be used when the  peer is in another administrative  domain, but it is still needed to identify each user. The star can optionally  be followed by some extra information which is added to the username. This can be used to identify this  proxy to the peer, similar to the login=username:password option above. connect-timeout=nn  to specify a peer specific connect timeout (also see the peer_connect_timeout directive) digest-url=url  to tell Squid to fetch the cache digest (if digests are enabled) for this host from the specified URL rather than the Squid default  location. allow-miss  to disable Squid's use of only-if-cached when forwarding requests to siblings. This is primarily useful when icp_hit_stale is used by  the sibling. To extensive use of this option may result in forwardingloops, and you should avoid having two-way peerings with this  option. (for Example(s) to deny peer usage on requests from peer by denying cache_peer_access if the source is a peer) max-conn  to limit the amount of connections Squid may open to this peer. htcp  to send HTCP, instead of ICP, queries to the neighbor.  You probably also want to set the "icp port" to 4827  instead of 3130. htcp-oldsquid  to send HTCP to old Squid versions carp-load-factor  to define a parent cache as one participating in a CARP array. originserver  causes this parent peer to be contacted as a origin server. Meant to be used in accelerator setups. userhash  to load-balance amongst a set of parents based on the client proxy_auth or ident username. sourcehash  to load-balanse amongs a set of parents based on the client source ip. name=xxx  if you have multiple peers on the same host but different ports. This name can then be used to differentiate the peers in  cache_peer_access and similar directives. monitorurl=url  to have periodically request a given URL from the peer, and only consider the peer as alive if this monitoring is successful monitorsize=sizespec  to limit the size range of 'monitorurl' replies considered valid. monitorinterval=seconds  to change frequency of how often the peer is monitored with 'monitorurl' monitortimeout=seconds  to change the timeout of 'monitorurl'. Defaults to 'monitorinterval'. group=name  Group Name of the peer-cache forceddomain=name  to forcibly set the Host header of requests forwarded to this peer. Useful in accelerator setups where the server (peer)  expects a certain domain name and using redirectors to feed this domainname is not feasible. ssl  to indicate that connections to this peer should bs SSL/TLS encrypted. sslcert= /path/to/ssl/certificate  to specify a client SSL certificate to use when connecting to this peer. sslkey= /path/to/ssl/key  to specify the private SSL key corresponding to sslcert above. If 'sslkey' is not specified then 'sslcert' is assumed to reference a  combined file containing both the certificate and the key. sslversion=1|2|3|4  to specify the SSL version to use when connecting to this peer  1 = automatic (default)  2 = SSL v2 only  3 = SSL v3 only  4 = TLS v1 only sslcipher=...  to specify the list of valid SSL chipers to use when connecting to this peer ssloptions=...  to specify various SSL engine options  NO_SSLv2  Disallow the use of SSLv2  NO_SSLv3  Disallow the use of SSLv3  NO_TLSv1  Disallow the use of TLSv1 front-end-https  to enable the "Front-End-Https: On" header needed when using Squid as a SSL frontend infront of Microsoft OWA.  See MS KB document Q307347 for details on this header. If set to auto then the header will only be added if the  request is forwarded as a https://URL. connection-auth[=on|off|auto]  to tell Squid that this peer does not support Microsoft connection oriented authentication, and any such challenges  received from there should be ignored. Example(s) cache_peer proxy.visolve.com parent 3128 3130 default cache_peer 172.16.1.57 parent 3128 3130 proxy-only cache_peer 172.16.1.123 sibling 3129 5500 weight=2       TAG NAME                   cache_peer_domain Description  Used to limit the domains for which a neighbour cache will be queried Build Option  Default Usage  cache_peer_domain cache-host domain [domain ...] Default  none Synopsis In case if there are more number of cache peers, then using this tag we can direct the query to that cache peer for particular domains alone. Prefixing the domain with "!" will be queried for objects NOT in that domain. Arguments cache-host  The cache peer to be queried for the specified domain domain  The domain for which the cache peer to be queried   Example(s) cache_peer_domain 172.16.1.57 .co.in       TAG NAME                   neighbor_type_domain Description  Using this tag, we can modify the define nerighbour type for particular domains Build Option  Default Usage  neighbor_type_domain neighbour parent|sibling domain domain ...  Default  none Synopsis There may be situations where an already defined neighbour to be treated differently for particular domains alone. This can be achieved using this directive. Arguments neighbour  The neighbour which to be treated diffrently parent|sibling  How the neighbour to be treated (parent/sibling) domain  The domain for which the cache peer to be treated differently Example(s) cache_peer parent 172.16.1.57 3128 3130 neighbor_type_domain 172.16.1.57 sibling.com       TAG NAME                   icp_query_timeout Description  Used to define the inter-cache query timeout Build Option  Default Usage  icp_query_timeout time(msec)  Default  icp_query_timeout 0 Synopsis Based on the round trip time of recent ICP queries, Squid normally determines an optimal ICP query timeout. If you want to override this value, you can specify the timeouts using this tag. The value specified is in Milliseconds. Arguments time  Fixed time period for ICP queries Example(s) icp_query_timeout 2000       TAG NAME                   maximum_icp_query_timeout Description  Defines ICP query timeout value to a maximum limit Build Option  Default Usage  maximum_icp_query_timeout time(msec)  Default  maximum_icp_query_timeout 2000 Synopsis Normally the ICP query timeout is determined dynamically. But sometimes it can lead to very large values (say 5 seconds). Use this option to put an upper limit on the dynamic timeout value.  The value specified is in Milliseconds. Note: Do NOT use this option to always use a fixed (instead of a dynamic) timeout value. To set a fixed timeout see the icp_query_timeout directive. Arguments time  Maximum upper time limit   Example(s) maximum_icp_query_timeout 4000       TAG NAME                   minimum_icp_query_timeout Description  Defines ICP query timeout value to a minimum limit Build Option  Default Usage  minimum_icp_query_timeout time(msec)  Default  minimum_icp_query_timeout 5 Synopsis As in the previous tag, ICP query timeouts to very small value, even lower than the normal latency variance on your link due to traffic. Use this option to put an lower limit on the dynamic timeout value. The value specified is in Milliseconds. Note: Do NOT use this option to always use a fixed (instead of a dynamic) timeout value. To set a fixed timeout see the icp_query_timeout directive. Arguments time  Minimum lower time limit   Example(s) minimum_icp_query_timeout 4000       TAG NAME                   mcast_icp_query_timeout Description  In case of multicast peer's, the value specified in this tag determines how long should Squid wait to count all replies from its  peers Build Option  Default Usage  mcast_icp_query_timeout time(msec)  Default  mcast_icp_query_timeout 2000 Synopsis For Multicast peers, Squid regularly sends out ICP "probes" to count how many other peers are listening on the given multicast address. This tag determines the time how long Squid should wait to count all replies from its peers. The value specified is in Milliseconds. Arguments time  Time period to wait Example(s) mcast_icp_query_timeout 3000       TAG NAME                   dead_peer_timeout Description  Defines the time period after which Squid will declare the corresponding peer as dead Build Option  Default Usage  dead_peer_timeout time(sec)  Default  dead_peer_timeout 10 seconds Synopsis This allows Squid to define the time period for declaring a peer cache as "dead."  If there are no ICP replies received with in the specified amount of time, Squid will declare that peer as dead and will not expect to receive any further ICP replies. However, it continues to send ICP queries, and will mark the peer as alive upon receipt of the first subsequent ICP reply. Note This timeout also affects when Squid expects to receive ICP replies from peers. If more than dead_peer seconds have passed since the last ICP reply was received, Squid will not expect to receive an ICP reply on the next query. Thus, if your time between requests is greater than this timeout, you will see a lot of requests sent DIRECT to origin servers instead of to your parents. Arguments time  Time period to decide the cache peer as dead Example(s) dead_peer_timeout 50 seconds       TAG NAME                   hierarchy_stoplist Description  Use this tag not to query neighbour caches for certain objects Build Option  Default Usage  hierarchy_stoplist words  Default  none Synopsis Certain words defined in this tag when matched in the URLs, directs Squid not to query neighbour caches. Arguments words  Words to be matched for direct access Example(s) hierarchy_stoplist cgi-bin ?       TAG NAME                   cache [previously called as no_cache] Description  Use this to force certain objects to never be cached Build Option  Default Usage  cache allow|deny acl ... Default  none Synopsis A list of ACL elements which, if matched, cause the request not to be satisfied from the cache and the reply not to be cached. In other words, use this to force certain objects to never be cached. You must use the word 'DENY' to indicate the ACL names which should NOT be cached. Arguments allow/deny  Allow or deny caching of objects on matching the acl acl  The condition/rule to be matched for which caching of those objects can be allowed or denied Example(s) acl QUERY urlpath_regex cgi-bin \? cache deny QUERY       TAG NAME                   cache_vary Description  Enables the caching of vary:in objects Build Option  Default Usage  cache_vary on|off Default  cache_vary on Synopsis Set to off to disable caching of Vary:in objects. This is URL's where the server response varies depending to the capabilites and preferences of the browser. Arguments on/off  Enable or Disable the vary       TAG NAME                   broken_vary_encoding Description  This replies matching this access list will have the cache split replies matching this access list will have the cache split  ETag to be unique. Build Option  Default Usage  broken_vary_encoding allow|deny [!]aclname Default  acl apache rep_header Server ^Apache  broken_vary_encoding allow apache Synopsis Many servers have broken support for on-the-fly Content-Encoding, returning the same ETag on both plain and gzip:ed variants. Vary replies matching this access list will have the cache split on the Accept-Encoding header of the request and not trusting the ETag to be unique. You must use the word 'DENY' to indicate the ACL names which should NOT be cached. Arguments allow/deny  Allow or deny the broken vary encoding on matching the acl acl  The condition/rule to be matched for which encoding can be allowed or denied Example(s) acl apache rep_header Server ^Apache broken_vary_encoding allow apache