cf.data.pre

-

	  # use REQUIRED to accept any non-null ident.
	acl aclname src_as   number ... 
	acl aclname dst_as   number ...
	  # Except for access control, AS numbers can be used for
	  # routing of requests to specific caches. Here's an 
	  # example for routing all requests for AS#1241 and only 
	  # those to mycache.mydomain.net:
	  # acl asexample dst_as 1241
	  # cache_peer_access mycache.mydomain.net allow asexample
	  # cache_peer_access mycache_mydomain.net deny all

	acl aclname proxy_auth username ...
	  # list of valid usernames
	  # use REQUIRED to accept any valid username.
	  #
	  # NOTE: when a Proxy-Authentication header is sent but it is not
	  # needed during ACL checking the username is NOT logged
	  # in access.log.
	  #
	  # NOTE: proxy_auth requires a EXTERNAL authentication program
	  # to check username/password combinations (see
	  # authenticate_program).
	  #
	  # WARNING: proxy_auth can't be used in a transparent proxy. It
	  # collides with any authentication done by origin servers. It may
	  # seem like it works at first, but it doesn't.

	acl aclname snmp_community string ...
	  # A community string to limit access to your SNMP Agent
	  # Example:
	  # 
	  #	acl snmppublic snmp_community public


Examples:
acl myexample dst_as 1241
acl password proxy_auth 300

Defaults:
NOCOMMENT_START
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT
NOCOMMENT_END
DOC_END

NAME: http_access
TYPE: acl_access
LOC: Config.accessList.http
DEFAULT: none
DEFAULT_IF_NONE: deny all
DOC_START
	Allowing or Denying access based on defined access lists

	Access to the HTTP port:
	http_access allow|deny [!]aclname ...

	Access to the ICP port:
	icp_access  allow|deny [!]aclname ...

	NOTE on default values:

	If there are no "access" lines present, the default is to allow
	the request.

	If none of the "access" lines cause a match, the default is the
	opposite of the last line in the list.  If the last line was
	deny, then the default is allow.  Conversely, if the last line
	is allow, the default will be deny.  For these reasons, it is a
	good idea to have an "deny all" or "allow all" entry at the end
	of your access lists to avoid potential confusion.

Default configuration:
NOCOMMENT_START
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access deny all
NOCOMMENT_END
DOC_END


NAME: icp_access
TYPE: acl_access
LOC: Config.accessList.icp
DEFAULT: none
DEFAULT_IF_NONE: deny all
DOC_START
	Reply to all ICP queries we receive

NOCOMMENT_START
icp_access allow all
NOCOMMENT_END
DOC_END


NAME: miss_access
TYPE: acl_access
LOC: Config.accessList.miss
DEFAULT: none
DOC_START
	Use to force your neighbors to use you as a sibling instead of
	a parent.  For example:

		acl localclients src 172.16.0.0/16
		miss_access allow localclients
		miss_access deny  !localclients

	This means that only your local clients are allowed to fetch
	MISSES and all other clients can only fetch HITS.

	By default, allow all clients who passed the http_access rules
	to fetch MISSES from us.
NOCOMMENT_START
miss_access allow all
NOCOMMENT_END
DOC_END


NAME: cache_peer_access
TYPE: peer_access
DEFAULT: none
LOC: none
DOC_START
	Similar to 'cache_peer_domain' but provides more flexibility by
	using ACL elements.

	cache_peer_access cache-host allow|deny [!]aclname ...

	The syntax is identical to 'http_access' and the other lists of
	ACL elements.  See the comments for 'http_access' below, or
	the Squid FAQ (http://squid.nlanr.net/Squid/FAQ/FAQ-10.html).
DOC_END

NAME: proxy_auth_realm
TYPE: eol
DEFAULT: Squid proxy-caching web server
LOC: Config.proxyAuthRealm
DOC_START
	Specifies the realm name which is to be reported to the client for
	proxy authentication (part of the text the user will see when
	prompted their username and password).

proxy_auth_realm Squid proxy-caching web server
DOC_END


NAME: ident_lookup_access
TYPE: acl_access
IFDEF: USE_IDENT
DEFAULT: none
DEFAULT_IF_NONE: deny all
LOC: Config.accessList.identLookup
DOC_START
	A list of ACL elements which, if matched, cause an ident
	(RFC 931) lookup to be performed for this request.  For
	example, you might choose to always perform ident lookups
	for your main multi-user Unix boxes, but not for your Macs
	and PCs.  By default, ident lookups are not performed for
	any requests.

	To enable ident lookups for specific client addresses, you
	can follow this example:
 
	acl ident_aware_hosts src 198.168.1.0/255.255.255.0
	ident_lookup_access allow ident_aware_hosts
	ident_lookup_access deny all

	This option may be disabled by using --disable-ident with
	the configure script.
ident_lookup_access deny all
DOC_END


COMMENT_START
 ADMINISTRATIVE PARAMETERS
 -----------------------------------------------------------------------------
COMMENT_END

NAME: cache_mgr
TYPE: string
DEFAULT: webmaster
LOC: Config.adminEmail
DOC_START
	Email-address of local cache manager who will receive
	mail if the cache dies.  The default is "webmaster."

cache_mgr webmaster
DOC_END


NAME: cache_effective_user
TYPE: string
DEFAULT: nobody
LOC: Config.effectiveUser
DOC_NONE

NAME: cache_effective_group
TYPE: string
DEFAULT: nogroup
LOC: Config.effectiveGroup
DOC_START

	If the cache is run as root, it will change its effective/real
	UID/GID to the UID/GID specified below.  The default is to
	change to UID to nobody and GID to nogroup.

	If Squid is not started as root, the default is to keep the
	current UID/GID.  Note that if Squid is not started as root then
	you cannot set http_port to a value lower than 1024.

cache_effective_user nobody
cache_effective_group nogroup
DOC_END


NAME: visible_hostname
TYPE: string
LOC: Config.visibleHostname
DEFAULT: none
DOC_START
	If you want to present a special hostname in error messages, etc,
	then define this.  Otherwise, the return value of gethostname()
	will be used. If you have multiple caches in a cluster and
	get errors about IP-forwarding you must set them to have individual
	names with this setting.

visible_hostname www-cache.foo.org
DOC_END


NAME: unique_hostname
TYPE: string
LOC: Config.uniqueHostname
DEFAULT: none
DOC_START
	If you want to have multiple machines with the same
	'visible_hostname' then you must give each machine a different
	'unique_hostname' so that forwarding loops can be detected.

unique_hostname www-cache1.foo.org
DOC_END

COMMENT_START
 OPTIONS FOR THE CACHE REGISTRATION SERVICE
 -----------------------------------------------------------------------------

	This section contains parameters for the (optional) cache
	announcement service.  This service is provided to help
	cache administrators locate one another in order to join or
	create cache hierarchies.

	An 'announcement' message is sent (via UDP) to the registration
	service by Squid.  By default, the annoucement message is NOT
	SENT unless you enable it with 'announce_period' below.

	The announcement message includes your hostname, plus the
	following information from this configuration file:

		http_port
		icp_port
		cache_mgr

	All current information is processed regularly and made
	available on the Web at http://ircache.nlanr.net/Cache/Tracker/.
COMMENT_END

NAME: announce_period
TYPE: time_t
LOC: Config.Announce.period
DEFAULT: 0
DOC_START
	This is how frequently to send cache announcements.  The
	default is `0' which disables sending the announcement
	messages.

	To enable announcing your cache, just uncomment the line
	below.

announce_period 1 day
DOC_END


NAME: announce_host
TYPE: string
DEFAULT: tracker.ircache.net
LOC: Config.Announce.host
DOC_NONE

NAME: announce_file
TYPE: string
DEFAULT: none
LOC: Config.Announce.file
DOC_NONE

NAME: announce_port
TYPE: ushort
DEFAULT: 3131
LOC: Config.Announce.port
DOC_START
	announce_host and announce_port set the hostname and port
	number where the registration message will be sent.

	Hostname will default to 'tracker.ircache.net' and port will
	default default to 3131.  If the 'filename' argument is given,
	the contents of that file will be included in the announce
	message.

announce_host tracker.ircache.net
announce_port 3131
DOC_END

COMMENT_START
 HTTPD-ACCELERATOR OPTIONS
 -----------------------------------------------------------------------------
COMMENT_END

NAME: httpd_accel_host
TYPE: string
LOC: Config.Accel.host
DEFAULT: none
DOC_NONE

NAME: httpd_accel_port
TYPE: ushort
LOC: Config.Accel.port
DEFAULT: 80
DOC_START
	If you want to run Squid as an httpd accelerator, define the
	host name and port number where the real HTTP server is.

	If you want virtual host support then specify the hostname
	as "virtual".

	NOTE: enabling httpd_accel_host disables proxy-caching and
	ICP.  If you want these features enabled also, then set
	the 'httpd_accel_with_proxy' option.

httpd_accel_host hostname
httpd_accel_port port
DOC_END


NAME: httpd_accel_with_proxy
COMMENT: on|off
TYPE: onoff
DEFAULT: off
LOC: Config.onoff.accel_with_proxy
DOC_START
	If you want to use Squid as both a local httpd accelerator
	and as a proxy, change this to 'on'.

httpd_accel_with_proxy off
DOC_END


NAME: httpd_accel_uses_host_header
COMMENT: on|off
TYPE: onoff
DEFAULT: off
LOC: opt_accel_uses_host
DOC_START
	HTTP/1.1 requests include a Host: header which is basically the
	hostname from the URL.  Squid can be an accelerator for
	different HTTP servers by looking at this header.  However,
	Squid does NOT check the value of the Host header, so it opens
	a big security hole.  We recommend that this option remain
	disabled unless you are sure of what you are doing.

	However, you will need to enable this option if you run Squid
	as a transparent proxy.  Otherwise, virtual servers which
	require the Host: header will not be properly cached.
httpd_accel_uses_host_header off
DOC_END

COMMENT_START
 MISCELLANEOUS
 -----------------------------------------------------------------------------
COMMENT_END

NAME: dns_testnames
TYPE: wordlist
LOC: Config.dns_testname_list
DEFAULT: none
DOC_START
	The DNS tests exit as soon as the first site is successfully looked up

	If you want to disable DNS tests, do not comment out or delete this
	list.  Instead use the -D command line option

dns_testnames netscape.com internic.net nlanr.net microsoft.com
DOC_END


NAME: logfile_rotate
TYPE: int
DEFAULT: 10
LOC: Config.Log.rotateNumber
DOC_START
	Specifies the number of logfile rotations to make when you
	type 'squid -k rotate'.  The default is 10, which will rotate
	with extensions 0 through 9.  Setting logfile_rotate to 0 will
	disable the rotation, but the logfiles are still closed and
	re-opened.  This will enable you to rename the logfiles
	yourself just before sending the rotate signal.

	Note, the 'squid -k rotate' command normally sends a USR1
	signal to the running squid process.  In certain situations
	(e.g. on Linux with Async I/O), USR1 is used for other
	purposes, so -k rotate uses another signal.  It is best to get
	in the habit of using 'squid -k rotate' instead of 'kill -USR1
	<pid>'.

logfile_rotate 10
DOC_END


NAME: append_domain
TYPE: string
LOC:  Config.appendDomain
DEFAULT: none
DOC_START
	Appends local domain name to hostnames without any dots in
	them.  append_domain must begin with a period.

append_domain .yourdomain.com
DOC_END


NAME: tcp_recv_bufsize
COMMENT: (bytes)
TYPE: b_size_t
DEFAULT: 0 bytes
LOC: Config.tcpRcvBufsz
DOC_START
	Size of receive buffer to set for TCP sockets.  Probably just
	as easy to change your kernel's default.  Set to zero to use
	the default buffer size.

tcp_recv_bufsize 0 bytes
DOC_END

NAME: err_html_text
TYPE: eol
LOC: Config.errHtmlText
DEFAULT: none
DOC_START
	HTML text to include in error messages.  Make this a "mailto"
	URL to your admin address, or maybe just a link to your
	organizations Web page.

	To include this in your error messages, you must rewrite
	the error template files (found in the "errors" directory).
	Wherever you want the 'err_html_text' line to appear,
	insert a %L tag in the error template file.
err_html_text
DOC_END


NAME: deny_info
TYPE: denyinfo
LOC: Config.denyInfoList
DEFAULT: none
DOC_START
	Usage:   deny_info err_page_name acl
	Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys

	This can be used to return a ERR_ page for requests which
	do not pass the 'http_access' rules.  A single ACL will cause
	the http_access check to fail.  If a 'deny_info' line exists