externalsupport

OPTIONS FOR EXTERNAL SUPPORT PROGRAMS

External support programs could be viewed as a simple means of modular design, allowing third parties to write modules to improve the features of Squid. That's being said, some of Squid's standard functionality is also provided by helper programs. The standard helper programs include dnsserver, pinger, and several authentication modules. Third party modules include redirectors, ad blockers, and additional authentication modules.

ftp_user

ftp_list_width

ftp_passive

ftp_sanitycheck

ftp_telnet_protocol

check_hostnames

allow_underscore

cache_dns_program

dns_children

dns_retransmit_interval

dns_timeout

dns_defnames

dns_nameservers

hosts_file

diskd_program

unlinkd_program

pinger_program

url_rewrite_program

url_rewrite_children

url_rewrite_concurrency

url_rewrite_host_header

url_rewrite_access

location_rewrite_program

location_rewrite_children

location_rewrite_concurrency

location_rewrite_access

auth_param

authenticate_cache_garbage_interval

authenticate_ttl

authenticate_ip_ttl

external_acl_type

authenticate_ip_shortcircuit_ttl

authenticate_ip_shortcircuit_access

storeurl_rewrite_program

storeurl_rewrite_children

storeurl_rewrite_concurrency

storeurl_access

     

Recommended minimum configuration

TAG NAME ftp_user

Description

This is the email address Squid uses to login to remote FTP servers anonymously

Build Option

Default

Usage

ftp_user username

Default

ftp_user squid@

Synopsis

For login to some servers, an anonymous email address is to be used. This tag is used to provide the anonymous email address for the login. This can simply be a user name followed by an @ symbol, which your domain name can be automatically attached to. Or it can be a full email address. This should be something reasonable for your domain, such as wwwuser@mydomain.com, or in the domainless case first mentioned, squid@, which happens to be the default for this option.

Arguments

username

User name to be used while login

Example(s)
ftp_user squid@squid.visolve.com

TAG NAME ftp_list_width

Description

The column width for auto-generated Web pages of FTP sites queried through Squid when Squid is in forward proxy
mode

Build Option

Default

Usage

ftp_list_width number

Default

ftp_list_width 32

Synopsis

This tag gives some control over how Squid formats the resulting file lists. Squid provides limited FTP proxy features to allow browsers (even older, non-FTP aware browsers) to communicate with FTP servers.

Arguments

number

Column width

Example(s)
ftp_list_width 48

TAG NAME ftp_passive

Description

If your firewall does not allow Squid to use passive connections, then turn off this option

Build Option

Default

Usage

ftp_passive on|off

Default

ftp_passive on

Synopsis
Enable or disable passive connections.

Arguments

on/off

Enable or disable this option

TAG NAME ftp_sanitycheck

Description

Squid performs sanity checks of the addresses of FTP data connections ensure the data connection is to the requested
server

Build Option

Default

Usage

ftp_sanitycheck on|off

Default

ftp_sanitycheck on

Synopsis

For security and data integrity reasons Squid by default performs sanity checks of the addresses of FTP data connections ensure the data connection is to the requested server. If you need to allow FTP connections to servers using another IP address for the data connection then turn this off.

Arguments

on/off

Enable or disable sanity checks

TAG NAME ftp_telnet_protocol

Description

Allows to use the telnet protocol as transport channel for the control connection.

Build Option

Default

Usage

ftp_telnet_protocol on|off

Default

ftp_telnet_protocol on

Synopsis

The FTP protocol is officially defined to use the telnet protocol as transport channel for the control connection. However, many implementations are broken and does not respect this aspect of the FTP protocol.

If there is any trouble accessing files with ASCII code 255 in the path or similar problems involving this ASCII code you can try setting this directive to off. If that helps, report to the operator of the FTP server in question that their FTP server is broken and does not follow the FTP standard.

Arguments

on/off

Enable or disable telnet protocol as transport channel

TAG NAME check_hostnames

Description

For security and stability reasons Squid by default checks hostnames for Internet standard RFC compliance

Build Option

Default

Usage

check_hostnames on|off

Default

check_hostnames on

Synopsis
If you want Squid not to perform these checks then turn this directive off.
If this directive is set to off, then squid disable the hostname validity/sanity checks before trying to look them up in DNS.

Arguments

on/off

Enable or disable hostname checks

TAG NAME allow_underscore

Description

If it is enabled, the underscore character is allowed in the Internet Hostnames

Build Option

Default

Usage

allow_underscore on|off

Default

allow_underscore on

Synopsis
Underscore character is strictly not allowed in Internet hostnames but nevertheless used by many sites. Set this to off if Squid sould be strict about the standard.

Arguments

on/off

Enable or disable underscore checks in URL

Synopsis

Squid requires a non-blocking resolver for its queries, an external program called dnsserver is included in the standard distribution. This tag is used to specify the path for the external dnsserver program.

Arguments

program

Path and the external dnsserver program

Example(s)
cache_dns_program /usr/local/libexec/dnsserver

TAG NAME dns_children

Description

The number of processes spawn to service DNS name lookups

Build Option

Default

Usage

dns_children number (1 to 32)

Default

dns_children 5

Synopsis

Specifies the number of external DNS resolver processes that will be started in order to serve requests. The default value of five is enough for many networks, however, if your Squid serves a large number of users, this value may need to be increased to avoid errors. However, increasing the number of processes also increases the load on system resources and may actually hinder performance if set too high. More than 10 is probably overkill.

Arguments

number

Number of dns children program

Example(s)
dns_children 10

TAG NAME dns_retransmit_interval

Description

Defines the initial retransmit time interval for DNS queries

Build Option

Default

Usage

dns_retransmit_interval time-units

Default

dns_retransmit_interval 5 seconds

Synopsis
The interval is doubled each time all configured DNS servers have been tried.

Arguments

time-units

Retransmit time interval

Example(s)
dns_retransmit_interval 15 seconds

TAG NAME dns_timeout

Description

This defines the DNS query timeout

Build Option

Default

Usage

dns_timeout time-units

Default

dns_timeout 5 minutes

Synopsis
If no response is received to a DNS query within this time then all DNS servers for the queried domain is assumed to be unavailable.

Arguments

time-units

DNS timeout period

Example(s)
dns_timeout 10 minutes

TAG NAME dns_defnames

Description

Enable/disable the dnsserver to add the local domain name to single component host names

Build Option

Default

Usage

dns_defnames on|off

Default

dns_defnames off

Synopsis

Normally the 'dnsserver' disables the RES_DEFNAMES resolver option (see res_init(3)). This prevents caches in a hierarchy from interpreting single-component hostnames locally. To allow dnsserver to handle single-component names, enable this option.

Arguments

on/off

Enable or disable this option

TAG NAME dns_nameservers

Description

Use this if you want to specify a list of DNS name servers (IP addresses) to use

Build Option

Default

Usage

dns_nameservers ip_address

Default

none

Synopsis

Normally defaults to resolve.conf, which simply means that Squid's parent DNS servers will be drawn from the /etc/resolve.conf file found on the system Squid runs on. It is possible to select other DNS servers if needed, for example to choose a more local caching DNS server, or a remote internet connected server.

Arguments

ip_address

IP address of the dns servers

Example(s)
dns_nameservers 10.0.0.1 192.172.0.4

TAG NAME hosts_file

Description

Defines the location of the host-local IP name-address associations database

Build Option

Default

Usage

host_file path/filename

Default

hosts_file /etc/hosts

Synopsis
For Unix and Linux system this file is located at /etc/hosts

Arguments

path

Path to the file that contains the ip addresses

filename

File that contains the ip addresses

Example(s)
hosts_file /hosts

TAG NAME diskd_program

Description

Specifies the location of the diskd executable

Build Option

Default

Usage

diskd_program path/filename

Default

diskd_program /usr/local/Squid/libexec/diskd

Synopsis
This tag is used to specify the location where diskd program is located
Note: This is only useful if you have compiled in diskd as one of the store io modules.

Arguments

path

Path where diskd program is located

filename

File that performs diskd operation

Example(s)
diskd_program /usr/local/libexec/diskd

TAG NAME unlinkd_program

Description

Specifies the location where executable for file deletion process is stored

Build Option

Default

Usage

unlinkd_program path/filename

Default

unlinkd_program /usr/local/Squid/libexec/unlinkd

Synopsis
The name of the helper program that deletes, or unlinks old files in the cache to make room for newer objects.

Arguments

path

Path where the program is located

filename

File that performs the specified operation

Example(s)
unlinkd_program /usr/local/libexec/unlinkd

TAG NAME pinger_program

Description

Specifies the location of the executable for the pinger process

Build Option

--enable-icmp

Usage

pinger_program path/filename

Default

pinger_program /usr/local/Squid/libexec/pinger

Synopsis

An external program that provides Squid with ICMP RTT information so that it can more effectively choose between multiple remote parent caches for request fulfillment.

Arguments

path

Path of the pinger executable program

filename

File that performs the pinger process

Example(s)
pinger_program /usr/local/libexec/pinger

TAG NAME url_rewrite_program

Description

Specifies the location of the executable for the URL redirector

Build Option

Default

Usage

url_rewrite_program path/to/rewriter/program

Default

none

Synopsis
Specify the location of the executable for the URL rewriter. Since they can perform almost any function there isn't one included.

For each requested URL, the rewriter will receive a line input with the following format
URL <SP> client_ip "/" fqdn <SP> user <SP> method <SP> urlgroup [<SP> kvpairs] <NL>

The rewriter In the future, the rewriter interface will be extended with key=value pairs ("kvpairs" shown above). Rewriter programs should be prepared to receive and possibly ignore additional whitespace-separated tokens on each input line.

The rewriter may return a rewritten URL. The other components of the request line does not need to be returned (ignored if they are).

The rewriter can also indicate that a client-side redirect should be performed to the new URL. This is done by prefixing the returned URL with "301:" (moved permanently) or 302: (moved temporarily).

It can also return a "urlgroup" that can subsequently be matched in cache_peer_access and similar ACL driven rules. An urlgroup is returned by prefixing the returned url with "!urlgroup!"

By default, a URL rewriter is not used.
Arguments

path

Location of the rewriter program

rewriter

Executable file that performs the rewrite process

Example(s)
url_rewrite_program /usr/local/squirm/bin/squirm

TAG NAME url_rewrite_children

Description

The number of redirector processes to spawn.

Build Option

Default

Usage

url_rewrite_children number

Default

url_rewrite_children 5

Synopsis

The number of redirector processes to spawn. If you start too few Squid will have to wait for them to process a backlog of URLs, slowing it down. If you start too many they will use RAM and other system resources.

Aguments

number

Number of rewrite process to spawn

Example(s)
url_rewrite_children 15

TAG NAME url_rewrite_concurrency

Description

The number of requests each redirector helper can handle in parallel.

Build Option

Default

Usage

url_rewrite_concurrency number

Default

url_rewrite_concurrency 0

Synopsis
The number of requests each redirector helper can handle in parallel. Defaults to 0 which indicates that the redirector is a old-style singlethreaded redirector.

Arguments

number

Number of requests to be handle

Example(s)
url_rewrite_concurrency 10

TAG NAME url_rewrite_host_header

Description

Enable/disable Squid rewriting any host header in redirected requests

Build Option

Default

Usage

url_rewrite_host_header on|off

Default

url_rewrite_host_header on

Synopsis
By default Squid rewrites any Host: header in redirected requests.

Warning: If you are running a accelerator then this may not be a wanted effect of a redirector

Arguments

on/off

Enable /disable rewriting of host headers

TAG NAME url_rewrite_access

Description

Used to define the access lists specifies which requests are sent to the redirector processes.

Build Option

Default

Usage

url_rewrite_access allow|deny acl ...

Default

none

Synopsis
Some access lists which does not need redirection can be denied using this tag. By default all requests are sent to the redirector process.

Arguments

allow/deny

Allow or deny the access list

acl

List that to be allowed or denied

Example(s)
acl me src 172.16.1.35
url_rewrite_access allow me

TAG NAME location_rewritre_program

Description

Specify the location of the executable for the Location rewriter used to rewrite server generated redirects.

Build Option

Default

Usage

location_rewrite_program path/to/program

Default

none

Synopsis
Usually used in conjunction with a url_rewrite_program.
For each Location header received the location rewriter will receive one line with the format:
location URL <SP> requested URL <SP> urlgroup <NL>
The rewriter may return a rewritten Location URL or a blank line. The other components of the request line does not need to be returned (ignored if they are).
By default, a Location rewriter is not used.

Arguments

path

Location of the rewriter program

rewriter

Executable file that performs the rewrite process

Example(s)
location_rewrite_program /usr/local/squid/loc_prog

TAG NAME location_rewrite_children

Description

Specify the number of location rewriting processes to spawn.

Build Option

Default

Usage

location_rewrite_children number

Default

location_rewarite_children 5

Synopsis
The number of location rewriting processes to spawn. If you start too few Squid will have to wait for them to process a backlog of URLs, slowing it down.
If you start too many they will use RAM and other system resources.

Arguments

number

Number of location rewrite process to spawn

Example(s)
location_rewrite_children 15

TAG NAME location_rewrite_concurrency

Description

The number of requests each Location rewriter helper can handle in parallel.

Build Option

Default

Usage

location_rewrite_children number

Default

location_rewrite_children 0

Synopsis
The number of requests each Location rewriter helper can handle in parallel. Defaults to 0 which indicates that the helper is a old-style singlethreaded helper.

Arguments

number

Number of requests to be handle

Example(s)
location_rewrite_concurrency 10

TAG NAME location_rewrite_access

Description

Used to define the access lists which are to be redirected to the location rewriting process

Build Option

Default

Usage

location_rewrite_access allow|deny acl ...

Default

none

Synopsis
Some access lists specifies which requests are sent to location rewriting process. By default all requests are sent to the redirector process.

Arguments

allow/deny

Allow or deny the access list

acl

List that to be allowed or denied

Example(s)
acl me src 172.16.1.35
location_rewrite_access allow me

TAG NAME auth_param

Description

Provides an interface to the external authentication interface within Squid

Build Option

Default