Home Solutions Knowledge Base FAQs E-mail Support Live Chat Buy Support

Disclaimer: This manual is NOT a Squid tutorial. It is only a reference material that provides detailed explanation of all configuration parameters available in Squid 3.0. The reader is expected to have prior knowledge of basic Squid installation and configuration. For Complete tutorial on Squid, please visit http://www.squid-cache.org

Squid 3.0 Configuration Manual OPTIONS FOR EXTERNAL SUPPORT PROGRAMS External support programs could be viewed as a simple means of modular design, allowing third parties to write modules to improve the features of Squid. That's being said, some of Squid's standard functionality is also provided by helper programs. The standard helper programs include dnsserver, pinger, and several authentication modules. Third party modules include redirectors, ad blockers, and additional authentication modules. ftp_user ftp_list_width ftp_passive ftp_sanitycheck check_hostnames cache_dns_program dns_children dns_retransmit_interval dns_timeout dns_defnames dns_nameservers hosts_file diskd_program unlinkd_program pinger_program redirect_program redirect_children redirect_concurrency redirect_rewrites_host_header redirector_access auth_param authenticate_cache_garbage_interval authenticate_ttl authenticate_ip_ttl external_acl_type Recommended minimum configuration

TAG NAME                   ftp_user Description  This is the email address Squid uses to login to remote FTP servers anonymously Build Option  Default Usage  ftp_user username Default  ftp_user squid@ Synopsis For login to some servers, an anonymous email address is to be used. This tag is used to provide the anonymous email address for the login. This can simply be a user name followed by an @ symbol, which your domain name can be automatically attached to. Or it can be a full email address. This should be something reasonable for your domain, such as wwwuser@mydomain.com, or in the domainless case first mentioned, squid@, which happens to be the default for this option. Arguments username  User name to be used while login Example(s) ftp_user squid@squid.visolve.com       TAG NAME                   ftp_list_width Description  The column width for auto-generated Web pages of FTP sites queried through Squid when Squid is in forward proxy  mode Build Option  Default Usage  ftp_list_width number Default  ftp_list_width 32 Synopsis This tag gives some control over how Squid formats the resulting file lists. Squid provides limited FTP proxy features to allow browsers (even older, non-FTP aware browsers) to communicate with FTP servers. Arguments number  Column width Example(s) ftp_list_width 48       TAG NAME                   ftp_passive Description  If your firewall does not allow Squid to use passive connections, then turn off this option Build Option  Default Usage  ftp_passive on|off Default  ftp_passive on Synopsis Enable or disable passive connections. Arguments on/off  Enable or disable this option       TAG NAME                   ftp_sanitycheck Description  Squid performs sanity checks of the addresses of FTP data connections ensure the data connection is to the requested  server Build Option  Default Usage  ftp_sanitycheck on|off  Default  ftp_sanitycheck on Synopsis For security and data integrity reasons Squid by default performs sanity checks of the addresses of FTP data connections ensure the data connection is to the requested  server. If you need to allow FTP connections to servers using another IP address for the data connection then turn this off. Arguments on/off  Enable or disable sanity checks       TAG NAME                   check_hostnames Description  For security and stability reasons Squid by default checks hostnames for Internet standard RFC compliance Build Option  Default Usage  check_hostnames on|off  Default  check_hostnames on  Synopsis If you want Squid not to perform these checks then turn this directive off. Arguments on/off  Enable or disable hostname checks       TAG NAME                  cache_dns_program Description  This helper program is used for DNS resolution Build Option  --disable-internal-dns Usage  cache_dns_program program Default  cache_dns_program /usr/local/Squid/libexec/dnsserver  Synopsis Squid requires a non-blocking resolver for its queries, an external program called dnsserver is included in the standard distribution. This tag is used to specify the path for the external dnsserver program. Arguments program  Path and the external dnsserver program Example(s) cache_dns_program /usr/local/libexec/dnsserver       TAG NAME                   dns_children Description  The number of processes spawn to service DNS name lookups Build Option  Default Usage  dns_children number (1 to 32) Default  dns_children 5 Synopsis Specifies the number of external DNS resolver processes that will be started in order to serve requests. The default value of five is enough for many networks, however, if your Squid serves a large number of users, this value may need to be increased to avoid errors. However, increasing the number of processes also increases the load on system resources and may actually hinder performance if set too high. More than 10 is probably overkill. Arguments number  Number of dns children program Example(s) dns_children 10       TAG NAME                   dns_retransmit_interval Description  Defines the initial retransmit time interval for DNS queries Build Option  Default Usage  dns_retransmit_interval time-units Default  dns_retransmit_interval 5 seconds  Synopsis The interval is doubled each time all configured DNS servers have been tried. Arguments time-units  Retransmit time interval Example(s) dns_retransmit_interval 15 seconds       TAG NAME                   dns_timeout Description  This defines the DNS query timeout Build Option  Default Usage  dns_timeout time-units Default  dns_timeout 5 minutes  Synopsis If no response is received to a DNS query within this time then all DNS servers for the queried domain is assumed to be unavailable. Arguments time-units  DNS timeout period Example(s) dns_timeout 10 minutes       TAG NAME                   dns_defnames Description  Enable/disable the dnsserver to add the local domain name to single component host names Build Option  Default Usage  dns_defnames on|off Default  dns_defnames off  Synopsis Normally the 'dnsserver' disables the RES_DEFNAMES resolver option (see res_init(3)).  This prevents caches in a hierarchy from interpreting single-component  hostnames locally.  To allow dnsserver to handle single-component names, enable this option. Arguments on/off  Enable or disable this option       TAG NAME                   dns_nameservers Description  Use this if you want to specify a list of DNS name servers (IP addresses) to use Build Option  Default Usage  dns_nameservers ip_address Default  none  Synopsis Normally defaults to resolve.conf, which simply means that Squid's parent DNS servers will be drawn from the /etc/resolve.conf file found on the system Squid runs on. It is possible to select other DNS servers if needed, for example to choose a more local caching DNS server, or a remote internet connected server. Arguments ip_address  IP address of the dns servers Example(s) dns_nameservers 10.0.0.1 192.172.0.4       TAG NAME                   hosts_file Description  Defines the location of the host-local IP name-address associations database Build Option  Default Usage  host_file path/filename Default  hosts_file /etc/hosts  Synopsis For Unix and Linux system this file is located at /etc/hosts Arguments path  Path to the file that contains the ip addresses filename  File that contains the ip addresses Example(s) hosts_file /hosts       TAG NAME                  diskd_program Description  Specifies the location of the diskd executable Build Option  Default Usage  diskd_program path/filename Default  diskd_program /usr/local/Squid/libexec/diskd  Synopsis This tag is used to specify the location where diskd program is located Note: This is only useful if you have compiled in diskd as one of the store io modules. Arguments path  Path where diskd program is located filename  File that performs diskd operation Example(s) diskd_program /usr/local/libexec/diskd       TAG NAME                  unlinkd_program Description  Specifies the location where executable for file deletion process is stored Build Option  Default Usage  unlinkd_program path/filename Default  unlinkd_program /usr/local/Squid/libexec/unlinkd  Synopsis The name of the helper program that deletes, or unlinks old files in the cache to make room for newer objects. Arguments path  Path where the program is located filename  File that performs the specified operation Example(s) unlinkd_program /usr/local/libexec/unlinkd       TAG NAME                  pinger_program Description  Specifies the location of the executable for the pinger process Build Option  --enable-icmp Usage  pinger_program path/filename Default  pinger_program /usr/local/Squid/libexec/pinger  Synopsis An external program that provides Squid with ICMP RTT information so that it can more effectively choose between multiple remote parent caches for request fulfillment. Arguments path  Path of the pinger executable program filename  File that performs the pinger process Example(s) pinger_program /usr/local/libexec/pinger       TAG NAME                  redirect_program Description  Specifies the location of the executable for the URL redirector Build Option  Default Usage  redirect_program path/redirector Default  none  Synopsis This provides a method to export a request to an external program, and then to import that programs response and act as though the client sent the resulting request. To configure a redirector, enter the path to the redirector and the redirector filename in this tag. By default, a redirector is not used. Arguments path  Location of the redirector program redirector  Executable file that performs the redirection process Example(s) redirect_program /usr/local/squirm/bin/squirm       TAG NAME                  redirect_children Description  Specifies the number of redirector processes to spawn Build Option  Default Usage  redirect_children number Default  redirect_children 5             Synopsis For the redirector program, this defines the number of redirector process to spawn. If you start too few Squid will have to wait for them to process a backlog of URLs, slowing it down. If you start too many they will use RAM and other system resources. Arguments number  Number of redirector process to spawn Example(s) redirect_children 15       TAG NAME                  redirect_concurrency Description  Defines the number of requests each redirector helper can handle in parallel Build Option  Default Usage  redirect_concurrency number Default  redirect_concurrency 0  Synopsis Defaults to 0 which indicates that the redirector is a old-style single threaded redirector. Arguments number  Number of requests to be handle Example(s) redirect_concurrency 10       TAG NAME                  redirect_rewrites_host_header Description  Enable/disable Squid rewriting any host header in redirected requests Build Option  Default Usage  redirect_rewrites_host_header on|off Default  redirect_rewrites_host_header on  Synopsis By default Squid rewrites any host header in redirected requests. If you want Squid not to perform this operation disable this option. Note: If you are running a accelerator then this may not be a wanted effect of a redirector Arguments on/off  Enable /disable rewriting of host headers       TAG NAME                  redirector_access Description  Used to define the access lists which are to be redirected to the rediretor process Build Option  Default Usage  redirector_access allow|deny acl ... Default  none Synopsis Some access lists which does not need redirection can be denied using this tag. By default all requests are sent to the redirector process. Arguments allow/deny Allow or deny the access list acl List that to be allowed or denied Example(s) acl me src 172.16.1.35 redirector_access allow me       TAG NAME                  auth_param Description  Provides an interface to the external authentication interface within Squid Build Option  Default Usage  auth_param scheme parameter [setting] Default  netdb_ping_period 5 minutes  Synopsis This is used to pass parameters to the various authentication schemes making users to be authenticated in a number of ways. various schemes are explained below. Scheme Parameter Explanation basic "program" cmdline  Specify the command for the external authenticator.  Such a program reads a line containing "username  password" and replies "OK" or "ERR" in an endless loop.  If you use an authenticator, make sure you have 1 acl  of type proxy_auth. By default, the basic authentication sheme is not used unless a program is specified.  If you want to use the traditional proxy authentication, jump over to the ../auth_modules/NCSA directory and   type:      % make      % make install  Then, set this line to something like  auth_param basic program /usr/local/Squid/bin/ncsa_auth /usr/local/Squid/etc/passwd "children" numberofchildren  The number of authenticator processes to spawn (no default). If you start too few Squid will have to wait for them  to process a backlog of usercode/password verifications, slowing it down. When password verifications are done  via a (slow) network you are likely to need lots of authenticator processes.  auth_param basic children 5 "concurrency" concurrency  The number of concurrent requests the helper can process. The default of 0 is used for helpers who only  supports one request at a time.  auth_param basic concurrency 0 "realm" realmstring  Specifies the realm name which is to be reported to the client for the basic proxy authentication scheme (part of  the text the user will see when prompted their username and password). There is no default.  auth_param basic realm Squid proxy-caching web server "credentialsttl" timetolive  Specifies how long Squid assumes an externally validated username:password pair is valid for - in other words  how often the helper program is called for that user. Set this low to force revalidation with short lived   passwords.  Note that setting this high does not impact your susceptability to replay attacks unless you are  using an one-time password system (such as SecureID).  If you are using such a system, you will be  vulnerable to replay attacks unless you also use the max_user_ip ACL in an http_access rule. digest "program" cmdline  Specify the command for the external authenticator.  Such a program reads a line containing  "username":"realm" and replies with the appropriate H(A1) value base64 encoded. See rfc 2616 for the  definition of H(A1).  If you use an authenticator, make sure you have 1 acl of type proxy_auth. By default,  authentication is not used.  If you want to use build an authenticator, ju