network

NETWORK PARAMETERS

Network parameters control network configuration, e.g. communication ports, secure network access and options, SSL options, inter-cache communication, multicast ICP queries etc.

http_port

https_port

ssl_unclean_shutdown

ssl_engine

sslproxy_client_certificate

sslproxy_client_key

sslproxy_version

sslproxy_options

sslproxy_cipher

sslproxy_cafile

sslproxy_capath

sslproxy_flags

icp_port

htcp_port

mcast_groups

udp_incoming_address

udp_outgoing_address

 

 

 

TAG NAME

http_port

Description

Port where Squid will listen for clients http requests

Build Option

Default

Usage

http_portport [options]
http_port
hostname:port [options]
http_port
ip_adderss:port [options]

Default

none

Synopsis
This parameter allows the user to define the address on which Squid will listen for client's http requests. This is a required parameter, and there are no defaults.
Without this configuration, Squid will never start.

Arguments

port

Port to which Squid will bind the socket

hostname

hostname to which Squid will bind the socket

ip_address

ip_address to which Squid will bind the socket

When a hostname or IP address is specified (as shown in variations 2 and 3 above), Squid binds the socket to that specific address.

Note: The http_port parameter may be specified multiple times, with different addresses each time. This will cause Squid to listen on multiple ports.

Options are arguments that further control the behavior of the Squid proxy. The supported values are explained in the table below:

Options

Functions

accel

Configure Squid in accelerator mode

transparent

Configure Squid as transparent proxies

vhost

Accelerator using virtual hosts

vport

Accelerator with virtual ip host support

vport=NN

As above, but uses specified port number rather than the http_port number.

defaultsite=xx

Main web site name for accelerators. also implies accel option

protocol=

Protocol to reconstruct accelerated requests with. Defaults to http.

Example(s)
http_port 3128
http_port 172.16.1.53:3300
http_port 172.16.1.53:80 accel defaultsite=visolve.com
http_port 3128 transparent

TAG NAME

https_port

Description

Port where Squid will listen for clients https requests

Build Option

--enable-ssl

Usage

https_port [ip:]port cert=certificate.pem [key=key.pem] [options...]

Default

none

Synopsis
This parameter specifies the address where Squid will listen for client's https requests. Its role is significant when Squid is configured in accelerator mode where SSL works to be done.

Arguments

ip

IP Address to which Squid will bind the socket

port

Port to which Squid will bind the socket

cert=certificate.pem

Path and the file name where SSL certificate is located

key=key.pem

Path and the file name where SSL private key for the certificate is located

options controls other additional features and are explained in the table below:

Options

Functions

defaultsite=

The name of the https site presented on this port

protocol=

Protocol to reconstruct accelerated requests with. Defaults to https.

cert=

Path to SSL certificate (PEM format)

key=

Path to SSL private key file (PEM format) if not specified, the certificate file is assumed to be a combined
certificate and key file

version=

The version of SSL/TLS supported
1 automatic (default)
2 SSLv2 only
3 SSLv3 only
4 TLSv1 only

cipher=

Colon separated list of supported ciphers

options=

Various SSL engine options. The most important being:

NO_SSLv2 Disallow the use of SSLv2
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1
SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges


See src/ssl_support.cc or OpenSSL SSL_CTX_set_options documentation for a complete list of options.

clientca=

File containing the list of CAs to use when requesting a client certificate

cafile=

File containing additional CA certificates to use when verifying client certificates. If unset clientca will be used.

capath=

Directory containing additional CA certificates to use when verifying client certificates

dhparams=

File containing DH parameters for temporary/ephemeral DH key exchanges

sslflags=

Various flags modifying the use of SSL:
DELAYED_AUTH - Don't request client certificates immediately, but wait until acl processing requires a certificate
NO_DEFAULT_CA - Don't use the default CA list built in to OpenSSL.

Example(s)
https_port 443 cert=/usr/local/ssl/cert.pem key=/usr/local/ssl/key.pem defaultsite=visolve.com

TAG NAME

ssl_unclean_shutdown

Description

Used to handle bugs in browsers which does not fully support SSL

Build Option

--enable-ssl

Usage

ssl_unclean_shutdown on|off

Default

ssl_unclean_shutdown off

Synopsis
Some browsers like MSIE will indicate bugs during SSL shutdown. During such conditions, making this tag "on" will handle those bugs.

Arguments

on/off

Enable or disable ssl_unclean_shutdown

TAG NAME

ssl_engine

Description

Defines Hardware SSL acceleration which is to be used

Build Option

--enable-ssl

Usage

ssl_engine engine

Default

none

Synopsis
The openssl engine to use. For Example(s), you will need to set this if you would like to use hardware SSL acceleration.

Arguments

engine

Hardware SSL accelerator to be used

TAG NAME

sslproxy_client_certificate

Description

Used to define clients SSL certificate for proxying https:// URLs

Build Option

--enable-ssl

Usage

sslproxy_client_certificate path/certificatefile

Default

none

Synopsis
When proxying https:// URLs requests, this tag defines the clients SSL certificate path and the certificate file to be used for verification.

Arguments

path/certificatefile

Path and the file that holds the clients SSL certificate

Example(s)
sslproxy_client_certificate /usr/local/ssl/cert.pem

TAG NAME

sslproxy_client_key

Description

Defines clients SSL certificate key for proxying https:// URLs

Build Option

--enable-ssl

Usage

sslproxy_client_key path/key.pem

Default

none

Synopsis
When Squid is used as a proxy server for https:// URLs requests, this tag defines the clients SSL certificate key's path and the file that holds the key.

Arguments

path/key.pem

Path and the file that contains the clients certificate key

Example(s)
sslproxy_client_key /usr/local/ssl/certkey.pem

TAG NAME

sslproxy_version

Description

Defines the SSL version level to be used when proxying https:// URLs

Build Option

--enable-ssl

Usage

sslproxy_version version

Default

sslproxy_version 1

Synopsis
When SSL certificate is used for proxying https:// URLs, this tag can be used to define the SSL version level that will be used for handling encrypted
connections.

Arguments

version

SSL version level

Example(s)
sslproxy_version 3

TAG NAME

sslproxy_options

Description

This defines the SSL engine options to be used when proxying https:// URLs

Build Option

--enable-ssl

Usage

options option

Default

none

Synopsis
When proxying https:// URLs, this tag is used to specify various SSL options.

Arguments

option

SSL options

Example(s)
sslproxy_options NO_SSLv2

TAG NAME

sslproxy_cipher

Description

SSL cipher list to be used when proxying https:// URLs

Build Option

--enable-ssl

Usage

sslproxy_cipher cipher

Default

none

Synopsis
This tag sets the ciphers on which SSL will decide during the negotiation phase of the SSL connection when proxying https:// URLs

Arguments

cipher

SSL proxy cipher to be used

TAG NAME

sslproxy_cafile

Description

Defines the file that contains CA certificate

Build Option

--enable-ssl

Usage

sslproxy_cafile filename

Default

none

Synopsis
This tag defines the file that contains CA certificate to be used for verifying server certificates when Squid is used as a proxy server for https://URLs.

Arguments

filename

File that contains CA certificate

Example(s)
sslproxy_cafile /usr/local/ca1.pem

TAG NAME

sslproxy_capath

Description

Defines the directory for the file containing CA certificate

Build Option

--enable-ssl

Usage

sslproxy_capath path

Default

none

Synopsis
While proxying https:// URLs, this tag defines the path where the CA certificate file to be used when verifying server certificates is located.

Arguments

path

Path where CA certificate file is located

Example(s)
sslproxy_capath /usr/local/

TAG NAME

sslproxy_flags

Description

Specifies the way how SSL should act while proxying https:// URLs

Build Option

--enable-ssl

Usage

sslproxy_flags flags

Default

none

Synopsis
When Squid is used as a proxy server for https://URLs, this tag is used to defines the nature of SSL's behaviour.

Arguments

Flags

Meaning

DONT_VERIFY_PEER

Accept certificates even if they fail to verify

NO_DEFAULT_CA

Don't use the default CA list built in to OpenSSL

Example(s)
sslproxy_flags NO_DEFAULT_CA

TAG NAME

icp_port

Description

Port number through which Squid sends and receives ICP queries

Build Option

Default

Usage

icp_port portnumber

Default

icp_port 0

Synopsis
Defines the port for ICP packets to be sent and received from neighbour caches.

Arguments

portnumber

Port to which Squid will bind the socket

Example(s)
icp_port 3030

TAG NAME

htcp_port

Description

Port number through which Squid sends and receives HTCP queries

Build Option

Default

Usage

htcp_port portnumber

Default

htcp_port 4827

Synopsis

This tag defines the port address through which HTCP packets will be sent and received from neighbour caches.

Arguments

portnumber

Port to which Squid will bind the socket

Example(s)
htcp_port 2134

TAG NAME

mcast_groups

Description

Defines list of multicast groups which your server should join to receive multicasted ICP queries

Build Option

Default

Usage

mcast_groups ip_address

Default

none

Synopsis
Multicast is essentially the ability to send one IP packet to multiple receivers. Your server will join to the multicat groups defined by the IP Addresses.

This option is to be set only if you want to RECEIVE multicast queries.

ICP replies are always sent via unicast, so this option does not affect whether or not you will receive replies from multicast group members.

Arguments

ip_address

ip_address of the multicast groups to join

Example(s)
mcast_groups 239.128.16.128 224.0.1.20

TAG NAME

udp_incoming_address, udp_outgoing_address

Description

Defines the address for sending and receiving ICP packets

Build Option

Default

Usage

udp_incoming_address ip_address
udp_outgoing_address ip_address

Default

udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255

Synopsis
These tags defines the interface through which ICP packets are sent and received. The default behavior is to not bind to any specific address.

A udp_incoming_address value of 0.0.0.0 indicates that Squid should listen for UDP messages on all available interfaces.

If udp_outgoing_address is set to 255.255.255.255 (the default) then it will use the same socket as udp_incoming_address. Only change this if you want to have ICP queries sent using another address than where this Squid listens for ICP queries from other caches.

Arguments

ip_address

ip_address to which Squid binds the ICP socket

Note: udp_incoming_address and udp_outgoing_address cannot have the same value since they both use port 3130.

Example(s)
udp_incoming_address 172.16.1.35
udp_outgoing_address 192.168.150.6