Squid 3.0 Configuration Manual - Network Parameters

Disclaimer: This manual is NOT a Squid tutorial. It is only a reference material that provides detailed explanation of all configuration parameters available in Squid 3.0. The reader is expected to have prior knowledge of basic Squid installation and configuration. For Complete tutorial on Squid, please visit http://www.squid-cache.org

Squid 3.0 Configuration Manual

NETWORK PARAMETERS

Network parameters control network configuration, e.g. communication ports, secure network access and options, SSL options, inter-cache communication, multicast ICP queries etc.

http_port	https_port	ssl_unclean_shutdown	ssl_engine	sslproxy_client_certificate
sslproxy_client_key	sslproxy_version	sslproxy_options	sslproxy_cipher	sslproxy_cafile
sslproxy_capath	sslproxy_flags	icp_port	htcp_port	mcast_groups
udp_incoming_address	udp_outgoing_address

TAG NAME

http_port

Description	Port where Squid will listen for clients http requests
Build Option	Default
Usage	http_port port [options] http_port hostname:port [options] http_port ip_adderss:port [options]
Default	none

Synopsis
This parameter allows the user to define the address on which Squid will listen for client's http requests. This is a required parameter, and there are no defaults.
Without this configuration, Squid will never start.

Arguments

port	Port to which Squid will bind the socket
hostname	hostname to which Squid will bind the socket
ip_address	ip_address to which Squid will bind the socket

When a hostname or IP address is specified (as shown in variations 2 and 3 above), Squid binds the socket to that specific address.

Note: The http_port parameter may be specified multiple times, with different addresses each time. This will cause Squid to listen on multiple ports.

Options are arguments that further control the behavior of the Squid proxy. The supported values are explained in the table below:

Options	Functions
accel	Configure Squid in accelerator mode
transparent	Configure Squid as transparent proxies
vhost	Accelerator using virtual hosts
vport	Accelerator with virtual ip host support
vport=NN	As above, but uses specified port number rather than the http_port number.
defaultsite=xx	Main web site name for accelerators. also implies accel option
protocol=	Protocol to reconstruct accelerated requests with. Defaults to http.

Example(s)
http_port 3128
http_port 172.16.1.53:3300
http_port 172.16.1.53:80 accel defaultsite=visolve.com
http_port 3128 transparent

TAG NAME

https_port

Description	Port where Squid will listen for clients https requests
Build Option	--enable-ssl
Usage	https_port [ip:]port cert=certificate.pem [key=key.pem] [options...]
Default	none

Synopsis
This parameter specifies the address where Squid will listen for client's https requests. Its role is significant when Squid is configured in accelerator mode where SSL works to be done.

Arguments

ip	IP Address to which Squid will bind the socket
port	Port to which Squid will bind the socket
cert=certificate.pem	Path and the file name where SSL certificate is located
key=key.pem	Path and the file name where SSL private key for the certificate is located

options controls other additional features and are explained in the table below:

Options	Functions
defaultsite=	The name of the https site presented on this port
protocol=	Protocol to reconstruct accelerated requests with. Defaults to https.
cert=	Path to SSL certificate (PEM format)
key=	Path to SSL private key file (PEM format) if not specified, the certificate file is assumed to be a combined certificate and key file
version=	The version of SSL/TLS supported 1 automatic (default) 2 SSLv2 only 3 SSLv3 only 4 TLSv1 only
cipher=	Colon separated list of supported ciphers
options=	Various SSL engine options. The most important being: NO_SSLv2 Disallow the use of SSLv2 NO_SSLv3 Disallow the use of SSLv3 NO_TLSv1 Disallow the use of TLSv1 SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges See src/ssl_support.cc or OpenSSL SSL_CTX_set_options documentation for a complete list of options.
clientca=	File containing the list of CAs to use when requesting a client certificate
cafile=	File containing additional CA certificates to use when verifying client certificates. If unset clientca will be used.
capath=	Directory containing additional CA certificates to use when verifying client certificates
dhparams=	File containing DH parameters for temporary/ephemeral DH key exchanges
sslflags=	Various flags modifying the use of SSL: DELAYED_AUTH - Don't request client certificates immediately, but wait until acl processing requires a certificate NO_DEFAULT_CA - Don't use the default CA list built in to OpenSSL.

Example(s)
https_port 443 cert=/usr/local/ssl/cert.pem key=/usr/local/ssl/key.pem defaultsite=visolve.com

TAG NAME

ssl_unclean_shutdown

Description	Used to handle bugs in browsers which does not fully support SSL
Build Option	--enable-ssl
Usage	ssl_unclean_shutdown on\|off
Default	ssl_unclean_shutdown off

Synopsis
Some browsers like MSIE will indicate bugs during SSL shutdown. During such conditions, making this tag "on" will handle those bugs.

Arguments

on/off

Enable or disable ssl_unclean_shutdown

TAG NAME

ssl_engine

Description	Defines Hardware SSL acceleration which is to be used
Build Option	--enable-ssl
Usage	ssl_engine engine
Default	none

Synopsis
The openssl engine to use. For Example(s), you will need to set this if you would like to use hardware SSL acceleration.

Arguments

engine

Hardware SSL accelerator to be used

TAG NAME

sslproxy_client_certificate

Description	Used to define clients SSL certificate for proxying https:// URLs
Build Option	--enable-ssl
Usage	sslproxy_client_certificate path/certificatefile
Default	none

Synopsis
When proxying https:// URLs requests, this tag defines the clients SSL certificate path and the certificate file to be used for verification.

Arguments

path/certificatefile

Path and the file that holds the clients SSL certificate

Example(s)
sslproxy_client_certificate /usr/local/ssl/cert.pem

TAG NAME

sslproxy_client_key

Description	Defines clients SSL certificate key for proxying https:// URLs
Build Option	--enable-ssl
Usage	sslproxy_client_key path/key.pem
Default	none

Synopsis
When Squid is used as a proxy server for https:// URLs requests, this tag defines the clients SSL certificate key's path and the file that holds the key.

Arguments

path/key.pem

Path and the file that contains the clients certificate key

Example(s)
sslproxy_client_key /usr/local/ssl/certkey.pem

TAG NAME

sslproxy_version

Description	Defines the SSL version level to be used when proxying https:// URLs
Build Option	--enable-ssl
Usage	sslproxy_version version
Default	sslproxy_version 1

Synopsis
When SSL certificate is used for proxying https:// URLs, this tag can be used to define the SSL version level that will be used for handling encrypted
connections.

Arguments

version

SSL version level

Example(s)
sslproxy_version 3

TAG NAME

sslproxy_options

Description	This defines the SSL engine options to be used when proxying https:// URLs
Build Option	--enable-ssl
Usage	options option
Default	none

Synopsis
When proxying https:// URLs, this tag is used to specify various SSL options.

Arguments

option

SSL options

Example(s)
sslproxy_options NO_SSLv2

TAG NAME

sslproxy_cipher

Description	SSL cipher list to be used when proxying https:// URLs
Build Option	--enable-ssl
Usage	sslproxy_cipher cipher
Default	none

Synopsis
This tag sets the ciphers on which SSL will decide during the negotiation phase of the SSL connection when proxying https:// URLs

Arguments

cipher

SSL proxy cipher to be used

TAG NAME

sslproxy_cafile

Description	Defines the file that contains CA certificate
Build Option	--enable-ssl
Usage	sslproxy_cafile filename
Default	none

Synopsis
This tag defines the file that contains CA certificate to be used for verifying server certificates when Squid is used as a proxy server for https://URLs.

Arguments

filename

File that contains CA certificate

Example(s)
sslproxy_cafile /usr/local/ca1.pem

TAG NAME

sslproxy_capath

Description	Defines the directory for the file containing CA certificate
Build Option	--enable-ssl
Usage	sslproxy_capath path
Default	none

Synopsis
While proxying https:// URLs, this tag defines the path where the CA certificate file to be used when verifying server certificates is located.

Arguments

path	Path where CA certificate file is located

Example(s)
sslproxy_capath /usr/local/

TAG NAME

sslproxy_flags

Description	Specifies the way how SSL should act while proxying https:// URLs
Build Option	--enable-ssl
Usage	sslproxy_flags flags
Default	none

Synopsis
When Squid is used as a proxy server for https://URLs, this tag is used to defines the nature of SSL's behaviour.

Arguments

Flags	Meaning
DONT_VERIFY_PEER	Accept certificates even if they fail to verify
NO_DEFAULT_CA	Don't use the default CA list built in to OpenSSL

Example(s)
sslproxy_flags NO_DEFAULT_CA

TAG NAME

icp_port

Description	Port number through which Squid sends and receives ICP queries
Build Option	Default
Usage	icp_port portnumber
Default	icp_port 0

Synopsis
Defines the port for ICP packets to be sent and received from neighbour caches.

Arguments

portnumber

Port to which Squid will bind the socket

Example(s)
icp_port 3030

TAG NAME

htcp_port

Description	Port number through which Squid sends and receives HTCP queries
Build Option	Default
Usage	htcp_port portnumber
Default	htcp_port 4827

Synopsis

This tag defines the port address through which HTCP packets will be sent and received from neighbour caches.

Arguments

portnumber

Port to which Squid will bind the socket

Example(s)
htcp_port 2134

TAG NAME

mcast_groups

Description	Defines list of multicast groups which your server should join to receive multicasted ICP queries
Build Option	Default
Usage	mcast_groups ip_address
Default	none

Synopsis
Multicast is essentially the ability to send one IP packet to multiple receivers. Your server will join to the multicat groups defined by the IP Addresses.

This option is to be set only if you want to RECEIVE multicast queries.

ICP replies are always sent via unicast, so this option does not affect whether or not you will receive replies from multicast group members.

Arguments

ip_address

ip_address of the multicast groups to join

Example(s)
mcast_groups 239.128.16.128 224.0.1.20

TAG NAME

udp_incoming_address, udp_outgoing_address

Description	Defines the address for sending and receiving ICP packets
Build Option	Default
Usage	udp_incoming_address ip_address udp_outgoing_address ip_address
Default	udp_incoming_address 0.0.0.0 udp_outgoing_address 255.255.255.255

Synopsis
These tags defines the interface through which ICP packets are sent and received. The default behavior is to not bind to any specific address.

A udp_incoming_address value of 0.0.0.0 indicates that Squid should listen for UDP messages on all available interfaces.

If udp_outgoing_address is set to 255.255.255.255 (the default) then it will use the same socket as udp_incoming_address. Only change this if you want to have ICP queries sent using another address than where this Squid listens for ICP queries from other caches.

Arguments

ip_address

ip_address to which Squid binds the ICP socket

Note: udp_incoming_address and udp_outgoing_address cannot have the same value since they both use port 3130.

Example(s)
udp_incoming_address 172.16.1.35
udp_outgoing_address 192.168.150.6

All rights reserved.
All trademarks used in this document are owned by their respective companies. This document makes no ownership claim of any trademark(s). If you wish to have your trademark removed from this document, please contact the copyright holder. No disrespect is meant by any use of other companies? trademarks in this document.
Note: The pages on this website cannot be duplicated on to another site. Copying and usage of the contents for personal and corporate purposes is acceptable. In near future, it will be released under the GNU Free Documentation License.

©ViSolve.com 2006
Created By: squid@visolve.com	Date: Dec 31, 2004
Revision No: 1.0
Last Modified By: ViSolve	Date: July 30 2006