cf.data.pre

-

	Specify the command for the external authenticator.  Such a
	program reads a line containing "username password" and replies
	"OK" or "ERR" in an endless loop.  If you use an authenticator,
	make sure you have 1 acl of type proxy_auth.  By default, the
	authenticator_program is not used.

	If you want to use the traditional proxy authentication,
	jump over to the ../auth_modules/NCSA directory and
	type:
		% make
		% make install

	Then, set this line to something like

	authenticate_program @DEFAULT_PREFIX@/bin/ncsa_auth @DEFAULT_PREFIX@/etc/passwd

authenticate_program none
DOC_END

NAME: authenticate_children
TYPE: int
DEFAULT: 5
LOC: Config.authenticateChildren
DOC_START
	The number of authenticator processes to spawn (default 5). If you
	start too few Squid will have to wait for them to process a backlog
	of usercode/password verifications, slowing it down. When password
	verifications are done via a (slow) network you are likely to need
	lots of authenticator processes.

authenticate_children 5
DOC_END

NAME: authenticate_ttl
TYPE: int
DEFAULT: 3600
LOC: Config.authenticateTTL
DOC_START
	The time a checked username/password combination remains cached
	(default 3600). If a wrong password is given for a cached user,
	the user gets removed from the username/password cache forcing
	a revalidation.

authenticate_ttl 3600
DOC_END

COMMENT_START
 OPTIONS FOR TUNING THE CACHE
 -----------------------------------------------------------------------------
COMMENT_END

NAME: wais_relay_host
TYPE: string
DEFAULT: none
LOC: Config.Wais.relayHost
DOC_NONE

NAME: wais_relay_port
TYPE: ushort
DEFAULT: 0
LOC: Config.Wais.relayPort
DOC_START
	Relay WAIS request to host (1st arg) at port (2 arg).

wais_relay_host localhost
wais_relay_port 8000
DOC_END


NAME: request_size
COMMENT: (KB)
TYPE: b_size_t
DEFAULT: 100 KB
LOC: Config.maxRequestSize
DOC_START
	Maximum allowed request size in kilobytes.  If people are using
	POST to upload files, then set this to the largest acceptable
	filesize plus a few extra kbytes.

request_size 100 KB
DOC_END


NAME: refresh_pattern
TYPE: refreshpattern
LOC: Config.Refresh
DEFAULT: none
DOC_START
	usage: refresh_pattern [-i] regex min percent max [options]

	By default, regular expressions are CASE-SENSITIVE.  To make
	them case-insensitive, use the -i option.

	min and max are specified in MINUTES.
	percent is an integer number.

	options: override-expire
		 override-lastmod
		 reload-into-ims
		 ignore-reload

		override-expire enforces min age even if the server
		sent a Expires: header. Doing this VIOLATES the HTTP
		standard.  Enabling this feature could make you liable
		for problems which it causes.

		override-lastmod enforces min age even on objects
		that was modified recently.

		reload-into-ims changes client no-cache or ``reload''
		to If-Modified-Since requests. Doing this VIOLATES the
		HTTP standard. Enabling this feature could make you
		liable for problems which it causes.

		ignore-reload ignores a client no-cache or ``reload''
		header. Doing this VIOLATES the HTTP standard. Enabling
		this feature could make you liable for problems which
		it causes.
		
	Please see the file doc/Release-Notes-1.1.txt for a full
	description of Squid's refresh algorithm.  Basically a
	cached object is: (the order is changed from 1.1.X)

		FRESH if expires < now, else STALE
		STALE if age > max
		FRESH if lm-factor < percent, else STALE
		FRESH if age < min
		else STALE

	The refresh_pattern lines are checked in the order listed here.
	The first entry which matches is used.  If none of the entries
	match, then the default will be used.

Default:
refresh_pattern		^ftp:		1440	20%	10080
refresh_pattern		^gopher:	1440	0%	1440
refresh_pattern 	.		0	20%	4320
DOC_END


NAME: reference_age
TYPE: time_t
LOC: Config.referenceAge
DEFAULT: 1 year
DOC_START
	As a part of normal operation, Squid performs Least Recently
	Used removal of cached objects.  The LRU age for removal is
	computed dynamically, based on the amount of disk space in
	use.  The dynamic value can be seen in the Cache Manager 'info'
	output.

	The 'reference_age' parameter defines the maximum LRU age.  For
	example, setting reference_age to '1 week' will cause objects
	to be removed if they have not been accessed for a week or
	more.  The default value is one month.

	Specify a number here, followed by units of time.  For example:
		1 week
		3.5 days
		4 months
		2.2 hours

reference_age 1 month
DOC_END


NAME: quick_abort_min
COMMENT: (KB)
TYPE: kb_size_t
DEFAULT: 16 KB
LOC: Config.quickAbort.min
DOC_NONE

NAME: quick_abort_max
COMMENT: (KB)
TYPE: kb_size_t
DEFAULT: 16 kb
LOC: Config.quickAbort.max
DOC_NONE

NAME: quick_abort_pct
COMMENT: (percent)
TYPE: int
DEFAULT: 95
LOC: Config.quickAbort.pct
DOC_START
	The cache can be configured to continue downloading aborted
	requests.  This may be undesirable on slow (e.g. SLIP) links
	and/or very busy caches.  Impatient users may tie up file
	descriptors and bandwidth by repeatedly requesting and
	immediately aborting downloads.

	When the user aborts a request, Squid will check the
	quick_abort values to the amount of data transfered until
	then.

	If the transfer has less than 'quick_abort_min' KB remaining,
	it will finish the retrieval.  Setting 'quick_abort_min' to -1
	will disable the quick_abort feature.

	If the transfer has more than 'quick_abort_max' KB remaining,
	it will abort the retrieval.

	If more than 'quick_abort_pct' of the transfer has completed,
	it will finish the retrieval.

quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
DOC_END


NAME: negative_ttl
COMMENT: time-units
TYPE: time_t
LOC: Config.negativeTtl
DEFAULT: 5 minutes
DOC_START
	Time-to-Live (TTL) for failed requests.  Certain types of
	failures (such as "connection refused" and "404 Not Found") are
	negatively-cached for a configurable amount of time.  The
	default is 5 minutes.  Note that this is different from
	negative caching of DNS lookups.

negative_ttl 5 minutes
DOC_END


NAME: positive_dns_ttl
COMMENT: time-units
TYPE: time_t
LOC: Config.positiveDnsTtl
DEFAULT: 6 hours
DOC_START
	Time-to-Live (TTL) for positive caching of successful DNS lookups.
	Default is 6 hours (360 minutes).  If you want to minimize the
	use of Squid's ipcache, set this to 1, not 0.

positive_dns_ttl 6 hours
DOC_END


NAME: negative_dns_ttl
COMMENT: time-units
TYPE: time_t
LOC: Config.negativeDnsTtl
DEFAULT: 5 minutes
DOC_START
	Time-to-Live (TTL) for negative caching of failed DNS lookups.

negative_dns_ttl 5 minutes
DOC_END

NAME: range_offset_limit
COMMENT: (bytes)
TYPE: b_size_t
LOC: Config.rangeOffsetLimit
DEFAULT: 0 KB
DOC_START
	Sets a upper limit on how far into the the file a Range request
	may be to cause Squid to prefetch the whole file. If beyond this
	limit then Squid forwards the Range request as it is and the result
	is NOT cached.

	This is to stop a far ahead range request (lets say start at 17MB)
	from making Squid fetch the whole object up to that point before
	sending anything to the client.

	A value of -1 causes Squid to always fetch the object from the
	beginning so that it may cache the result. (2.0 style)

	A value of 0 causes Squid to never fetch more than the client
	client requested. (default)

range_offset_limit 0 KB
DOC_END


COMMENT_START
 TIMEOUTS
 -----------------------------------------------------------------------------
COMMENT_END

NAME: connect_timeout
COMMENT: time-units
TYPE: time_t
LOC: Config.Timeout.connect
DEFAULT: 2 minutes
DOC_START
	Some systems (notably Linux) can not be relied upon to properly
	time out connect(2) requests.  Therefore the Squid process
	enforces its own timeout on server connections.  This parameter
	specifies how long to wait for the connect to complete.  The
	default is two minutes (120 seconds).

connect_timeout 120 seconds
DOC_END

NAME: siteselect_timeout
COMMENT: time-units
TYPE: time_t
LOC: Config.Timeout.siteSelect
DEFAULT: 4 seconds
DOC_START
	For URN to multiple URL's URL selection

siteselect_timeout 4 seconds
DOC_END

NAME: read_timeout
COMMENT: time-units
TYPE: time_t
LOC: Config.Timeout.read
DEFAULT: 15 minutes
DOC_START
	The read_timeout is applied on server-side connections.  After
	each successful read(), the timeout will be extended by this
	amount.  If no data is read again after this amount of time,
	the request is aborted and logged with ERR_READ_TIMEOUT.  The
	default is 15 minutes.

read_timeout 15 minutes
DOC_END


NAME: request_timeout
TYPE: time_t
LOC: Config.Timeout.request
DEFAULT: 30 seconds
DOC_START
	How long to wait for an HTTP request after connection
	establishment.  For persistent connections, wait this long
	after the previous request completes.

request_timeout 30 seconds
DOC_END


NAME: client_lifetime
COMMENT: time-units
TYPE: time_t
LOC: Config.Timeout.lifetime
DEFAULT: 1 day
DOC_START
	The maximum amount of time that a client (browser) is allowed to
	remain connected to the cache process.  This protects the Cache
	from having alot of sockets (and hence file descriptors) tied up
	in a CLOSE_WAIT state from remote clients that go away without
	properly shutting down (either because of a network failure or
	because of a poor client implementation).  The default is one
	day, 1440 minutes.

	NOTE:  The default value is intended to be much larger than any
	client would ever need to be connected to your cache.  You
	should probably change client_lifetime only as a last resort.
	If you seem to have many client connections tying up
	filedescriptors, we recommend first tuning the read_timeout,
	request_timeout, pconn_timeout and quick_abort values.

client_lifetime 1 day
DOC_END

NAME: half_closed_clients
TYPE: onoff
LOC: Config.onoff.half_closed_clients
DEFAULT: on
DOC_START
	Some clients may shutdown the sending side of their TCP
	connections, while leaving their receiving sides open.	Sometimes,
	Squid can not tell the difference between a half-closed and a
	fully-closed TCP connection.  By default, half-closed client
	connections are kept open until a read(2) or write(2) on the
	socket returns an error.  Change this option to 'off' and Squid
	will immediately close client connections when read(2) returns
	"no more data to read."

half_closed_clients on
DOC_END

NAME: pconn_timeout
TYPE: time_t
LOC: Config.Timeout.pconn
DEFAULT: 120 seconds
DOC_START
	Timeout for idle persistent connections to servers and other
	proxies.
pconn_timeout 120 seconds
DOC_END

NAME: ident_timeout
TYPE: time_t
IFDEF: USE_IDENT
LOC: Config.Timeout.ident
DEFAULT: 10 seconds
DOC_START
	Maximum time to wait for IDENT requests.  If this is too high,
	and you enabled 'ident_lookup', then you might be susceptible
	to denial-of-service by having many ident requests going at
	once.

	This option may be disabled by using --disable-ident with
	the configure script.
ident_timeout 10 seconds
DOC_END


NAME: shutdown_lifetime
COMMENT: time-units
TYPE: time_t
LOC: Config.shutdownLifetime
DEFAULT: 30 seconds
DOC_START
	When SIGTERM or SIGHUP is received, the cache is put into
	"shutdown pending" mode until all active sockets are closed.
	This value is the lifetime to set for all open descriptors
	during shutdown mode.  Any active clients after this many
	seconds will receive a 'timeout' message.

shutdown_lifetime 30 seconds
DOC_END

COMMENT_START
 ACCESS CONTROLS
 -----------------------------------------------------------------------------
COMMENT_END

NAME: acl
TYPE: acl
LOC: Config.aclList
DEFAULT: none
DOC_START
	Defining an Access List

	acl aclname acltype string1 ...
	acl aclname acltype "file" ...

	when using "file", the file should contain one item per line

	acltype is one of src dst srcdomain dstdomain url_pattern
		urlpath_pattern time port proto method browser user

	By default, regular expressions are CASE-SENSITIVE.  To make
	them case-insensitive, use the -i option.

	acl aclname src      ip-address/netmask ... (clients IP address)
	acl aclname src      addr1-addr2/netmask ... (range of addresses)
	acl aclname dst      ip-address/netmask ... (URL host's IP address)
	acl aclname myip     ip-address/netmask ... (local socket IP address)

	acl aclname srcdomain   foo.com ...     # reverse lookup, client IP
	acl aclname dstdomain   foo.com ...     # Destination server from URL
	acl aclname srcdom_regex [-i] xxx ...   # regex matching client name
	acl aclname dstdom_regex [-i] xxx ...   # regex matching server
	  # For dstdomain and dstdom_regex  a reverse lookup is tried if a IP
	  # based URL is used. The name "none" is used if the reverse lookup
	  # fails.

	acl aclname time     [day-abbrevs]  [h1:m1-h2:m2]
	    day-abbrevs:
		S - Sunday
		M - Monday
		T - Tuesday
		W - Wednesday
		H - Thursday
		F - Friday
		A - Saturday
	    h1:m1 must be less than h2:m2
	acl aclname url_regex [-i] ^http:// ...	# regex matching on whole URL
	acl aclname urlpath_regex [-i] \.gif$ ...	# regex matching on URL path
	acl aclname port     80 70 21 ...
	acl aclname port     0-1024 ...		# ranges allowed
	acl aclname proto    HTTP FTP ...
	acl aclname method   GET POST ...
	acl aclname browser  [-i] regexp
	  # pattern match on User-Agent header
	acl aclname ident    username ...
	  # string match on ident output.