network

NETWORK PARAMETERS

Network parameters control network configuration, e.g. communication ports, secure network access and options, SSL options, inter-cache communication, multicast ICP queries etc.

http_port https_port ssl_unclean_shutdown ssl_engine sslproxy_client_certificate
sslproxy_client_key sslproxy_version sslproxy_options sslproxy_cipher sslproxy_cafile
sslproxy_capath sslproxy_flags sslpassword_program icp_port htcp_port
mcast_groups udp_incoming_address udp_outgoing_address

TAG NAME: http_port

Description Port where Squid will listen for clients http requests
Build Option Default
Usage http_port port [options]
http_port
hostname:port [options]
http_port
ip_adderss:port [options]
Default none
Synopsis
This parameter allows the user to define the address on which Squid will listen for client's http requests. This is a required parameter, and there are no defaults.
Without this configuration, Squid will never start. Arguments
port Port to which Squid will bind the socket
hostname hostname to which Squid will bind the socket
ip_address ip_address to which Squid will bind the socket
When a hostname or IP address is specified (as shown in variations 2 and 3 above), Squid binds the socket to that specific address.

Note: The http_port parameter may be specified multiple times, with different addresses each time. This will cause Squid to listen on multiple ports.

Options are arguments that further control the behavior of the Squid proxy. The supported values are explained in the table below:
Options Functions
transparent Support for transparent interception of outgoing requests without browser settings
accel Accelerator mode. Also needs at least one of vhost/vport/defaultsite.
defaultsite= Main web site name for accelerators. Implies accel.
vhost Accelerator using the Host header for virtual domain support.
vport Accelerator using the Host header for virtual domain support.
vport= As above, but uses specified port number rather than the http_port number.
urlgroup= Default urlgroup to mark requests with.
protocol= Protocol to reconstruct accelerated requests with. Defaults to http.
no-connection-auth Prevent forwarding of Microsoft connection oriented authentication.
tproxy Support Linux TPROXY for spoofing outgoing connections using the client IP address.
Example(s)
http_port 3128
http_port 172.16.1.53:3300
http_port 172.16.1.53:80 accel defaultsite=visolve.com
http_port 3128 transparent

TAG NAME: https_port

Description Port where Squid will listen for clients https requests
Build Option --enable-ssl
Usage https_port [ip:]port cert=certificate.pem key=key.pem] [options...]
Default none
Synopsis
This parameter specifies the address where Squid will listen for client's https requests. Its role is significant when Squid is configured in accelerator mode where SSL works to be done. Arguments
ip IP Address to which Squid will bind the socket
port Port to which Squid will bind the socket
cert=certificate.pem Path and the file name where SSL certificate is located
key=key.pem Path and the file name where SSL private key for the certificate is located
options controls other additional features and are explained in the table below:
Options Functions
accel Accelerator mode. Also needs at least one of defaultsite or vhost.
defaultsite= The name of the https site presented on this port
vhost Domain based virtual host support. Useful in combination with a wildcard certificate or other certificates valid for more than one domain. Implies accel.
urlgroup= Default urlgroup to mark requests with
protocol= Protocol to reconstruct accelerated requests with. Defaults to https.
cert= Path to SSL certificate (PEM format)
key= Path to SSL private key file (PEM format) if not specified, the certificate file is assumed to be a combined
certificate and key file
version= The version of SSL/TLS supported
1 automatic (default)
2 SSLv2 only
3 SSLv3 only
4 TLSv1 only
cipher= Colon separated list of supported ciphers
options= Various SSL engine options. The most important being: NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1
SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges
See src/ssl_support.cc or OpenSSL SSL_CTX_set_options documentation for a complete list of options.
clientca= File containing the list of CAs to use when requesting a client certificate
cafile= File containing additional CA certificates to use when verifying client certificates. If unset clientca will be used.
capath= Directory containing additional CA certificates to use when verifying client certificates
dhparams= File containing DH parameters for temporary/ephemeral DH key exchanges
sslflags= Various flags modifying the use of SSL:
DELAYED_AUTH - Don't request client certificates immediately, but wait until acl processing requires a certificate
NO_DEFAULT_CA - Don't use the default CA list built in to OpenSSL.
NO_SESSION_REUSE - Don't allow for session reuse. Each connection will result in a new SSL session.
VERIFY_CRL - Verify CRL lists when accepting client certificates
VERIFY_CRL_ALL - Verify CRL lists for all certificates in the client certificate chain
sslcontext= SSL session ID context identifier.
Example(s)
https_port 443 cert=/usr/local/ssl/cert.pem key=/usr/local/ssl/key.pem defaultsite=visolve.com

TAG NAME: ssl_unclean_shutdown

Description Used to handle bugs in browsers which does not fully support SSL
Build Option --enable-ssl
Usage ssl_unclean_shutdown on|off
Default ssl_unclean_shutdown off
Synopsis
Some browsers like MSIE will indicate bugs during SSL shutdown. During such conditions, making this tag "on" will handle those bugs. Arguments
on/off Enable or disable ssl_unclean_shutdown
TAG NAME ssl_engine
Description Defines Hardware SSL acceleration which is to be used
Build Option --enable-ssl
Usage ssl_engine engine
Default none
Synopsis
The openssl engine to use. For Example(s), you will need to set this if you would like to use hardware SSL acceleration. Arguments
engine Hardware SSL accelerator to be used

TAG NAME: sslproxy_client_certificate

Description Used to define clients SSL certificate for proxying https:// URLs
Build Option --enable-ssl
Usage sslproxy_client_certificate path/certificatefile
Default none
Synopsis
When proxying https:// URLs requests, this tag defines the clients SSL certificate path and the certificate file to be used for verification. Arguments
path/certificatefile Path and the file that holds the clients SSL certificate
Example(s)
sslproxy_client_certificate /usr/local/ssl/cert.pem

TAG NAME: sslproxy_client_key

Description Defines clients SSL certificate key for proxying https:// URLs
Build Option --enable-ssl
Usage sslproxy_client_key path/key.pem
Default none
Synopsis
When Squid is used as a proxy server for https:// URLs requests, this tag defines the clients SSL certificate key's path and the file that holds the key. Arguments
path/key.pem Path and the file that contains the clients certificate key
Example(s)
sslproxy_client_key /usr/local/ssl/certkey.pem

TAG NAME: sslproxy_version

Description Defines the SSL version level to be used when proxying https:// URLs
Build Option --enable-ssl
Usage sslproxy_version version
Default sslproxy_version 1
Synopsis
When SSL certificate is used for proxying https:// URLs, this tag can be used to define the SSL version level that will be used for handling encrypted
connections. Arguments
version SSL version level
Example(s)
sslproxy_version 3

TAG NAME: sslproxy_options

Description This defines the SSL engine options to be used when proxying https:// URLs
Build Option --enable-ssl
Usage options option
Default none
Synopsis
When proxying https:// URLs, this tag is used to specify various SSL options. Arguments
option SSL options
Example(s)
sslproxy_options NO_SSLv2

TAG NAME: sslproxy_cipher

Description SSL cipher list to be used when proxying https:// URLs
Build Option --enable-ssl
Usage sslproxy_cipher cipher
Default none
Synopsis
This tag sets the ciphers on which SSL will decide during the negotiation phase of the SSL connection when proxying https:// URLs

Arguments
cipher SSL proxy cipher to be used

TAG NAME: sslproxy_cafile

Description Defines the file that contains CA certificate
Build Option --enable-ssl
Usage sslproxy_cafile filename
Default none
Synopsis
This tag defines the file that contains CA certificate to be used for verifying server certificates when Squid is used as a proxy server for https://URLs. Arguments
filename File that contains CA certificate
Example(s)
sslproxy_cafile /usr/local/ca1.pem

TAG NAME: sslproxy_capath

Description Defines the directory for the file containing CA certificate
Build Option --enable-ssl
Usage sslproxy_capath path
Default none
Synopsis
While proxying https:// URLs, this tag defines the path where the CA certificate file to be used when verifying server certificates is located. Arguments
path Path where CA certificate file is located
Example(s)
sslproxy_capath /usr/local/

TAG NAME: sslproxy_flags

Description Specifies the way how SSL should act while proxying https:// URLs
Build Option --enable-ssl
Usage sslproxy_flags flags
Default none
Synopsis
When Squid is used as a proxy server for https://URLs, this tag is used to defines the nature of SSL's behaviour. Arguments
Flags Meaning
DONT_VERIFY_PEER Accept certificates even if they fail to verify
NO_DEFAULT_CA Don't use the default CA list built in to OpenSSL
NO_SESSION_REUSE Don't allow for session reuse. Each connection will result in a new SSL session.
VERIFY_CRL Verify CRL lists when accepting client certificates
VERIFY_CRL_ALL Verify CRL lists for all certificates in the client certificate chain
Example(s)
sslproxy_flags NO_DEFAULT_CA

TAG NAME: sslpassword_program

Description Specify a program used for entering SSL key passphrases when using encrypted SSL certificate keys.
Build Option --enable-ssl
Usage sslpassword_program program
Default none
Synopsis Specify a program used for entering SSL key passphrases when using encrypted SSL certificate keys. If not specified keys must either be unencrypted, or Squid started with the -N option to allow it to query interactively for the passphrase. Arguments
program Program used for entering the SSL key passphrase
Example(s)
sslpassword_program /usr/local/program

TAG NAME: icp_port

Description Port number through which Squid sends and receives ICP queries
Build Option Default
Usage icp_port portnumber
Default icp_port 0
Synopsis
Defines the port for ICP packets to be sent and received from neighbour caches. Arguments
portnumber Port to which Squid will bind the socket
Example(s)
icp_port 3030

TAG NAME: htcp_port

Description Port number through which Squid sends and receives HTCP queries
Build Option --enable-htcp
Usage htcp_port portnumber
Default htcp_port 4827
Synopsis This tag defines the port address through which HTCP packets will be sent and received from neighbour caches.

Arguments
portnumber Port to which Squid will bind the socket
Example(s)
htcp_port 2134

TAG NAME: mcast_groups

Description Defines list of multicast groups which your server should join to receive multicasted ICP queries
Build Option Default
Usage mcast_groups ip_address
Default none
Synopsis
Multicast is essentially the ability to send one IP packet to multiple receivers. Your server will join to the multicat groups defined by the IP Addresses.

This option is to be set only if you want to RECEIVE multicast queries.

ICP replies are always sent via unicast, so this option does not affect whether or not you will receive replies from multicast group members.

Arguments
ip_address ip_address of the multicast groups to join
Example(s)
mcast_groups 239.128.16.128 224.0.1.20
TAG NAME udp_incoming_address, udp_outgoing_address
Description Defines the address for sending and receiving ICP packets
Build Option Default
Usage udp_incoming_address ip_address
udp_outgoing_address ip_address
Default udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255
Synopsis
These tags defines the interface through which ICP packets are sent and received. The default behavior is to not bind to any specific address.

A udp_incoming_address value of 0.0.0.0 indicates that Squid should listen for UDP messages on all available interfaces. If udp_outgoing_address is set to 255.255.255.255 (the default) then it will use the same socket as udp_incoming_address. Only change this if you want to have ICP queries sent using another address than where this Squid listens for ICP queries from other caches. Arguments
ip_address ip_address to which Squid binds the ICP socket
Note: udp_incoming_address and udp_outgoing_address cannot have the same value since they both use port 3130.

Example(s)
udp_incoming_address 192.168.1.35
udp_outgoing_address 192.168.150.6