cf.data.pre

-

	for that ACL then Squid returns a corresponding error page.

	You may use ERR_ pages that come with Squid or create your own pages
	and put them into the configured errors/ directory.
DOC_END

NAME: memory_pools
COMMENT: on|off
TYPE: onoff
DEFAULT: on
LOC: Config.onoff.mem_pools
DOC_START
	If set, Squid will keep pools of allocated (but unused) memory
	available for future use.  If memory is a premium on your
	system and you believe your malloc library outperforms Squid 
	routines, disable this.

memory_pools on
DOC_END

NAME: memory_pools_limit
COMMENT: (bytes)
TYPE: b_size_t
DEFAULT: none
LOC: Config.MemPools.limit
DOC_START
	Used only with memory_pools on:
	memory_pools_limit 50 MB

	If set to a non-zero value, Squid will keep at most the specified
	limit of allocated (but unused) memory in memory pools. All free()
	requests that exceed this limit will be handled by your malloc
	library. Squid does not pre-allocate any memory, just safe-keeps
	objects that otherwise would be free()d. Thus, it is safe to set
	memory_pools_limit to a reasonably high value even if your
	configuration will use less memory.

	If not set (default) or set to zero, Squid will keep all memory it
	can. That is, there will be no limit on the total amount of memory
	used for safe-keeping.

	To disable memory allocation optimization, do not set
	memory_pools_limit to 0. Set memory_pools to "off" instead.

	An overhead for maintaining memory pools is not taken into account
	when the limit is checked. This overhead is close to four bytes per
	object kept. However, pools may actually _save_ memory because of
	reduced memory thrashing in your malloc library.
DOC_END

NAME: forwarded_for
COMMENT: on|off
TYPE: onoff
DEFAULT: on
LOC: opt_forwarded_for
DOC_START
	If set, Squid will include your system's IP address or name
	in the HTTP requests it forwards.  By default it looks like
	this:

		X-Forwarded-For: 192.1.2.3

	If you disable this, it will appear as

		X-Forwarded-For: unknown

forwarded_for on
DOC_END

NAME: log_icp_queries
COMMENT: on|off
TYPE: onoff
DEFAULT: on
LOC: Config.onoff.log_udp
DOC_START
	If set, ICP queries are logged to access.log. You may wish
	do disable this if your ICP load is VERY high to speed things
	up or to simplify log analysis.

log_icp_queries on
DOC_END

NAME: icp_hit_stale
COMMENT: on|off
TYPE: onoff
DEFAULT: off
LOC: Config.onoff.icp_hit_stale
DOC_START
	If you want to return ICP_HIT for stale cache objects, set this
	option to 'on'.  If you have sibling relationships with caches
	in other administrative domains, this should be 'off'.  If you only
	have sibling relationships with caches under your control, then
	it is probably okay to set this to 'on'.

icp_hit_stale off
DOC_END


NAME: minimum_direct_hops
TYPE: int
DEFAULT: 4
LOC: Config.minDirectHops
DOC_START
	If using the ICMP pinging stuff, do direct fetches for sites
	which are no more than this many hops away.

minimum_direct_hops 4
DOC_END


NAME: cachemgr_passwd
TYPE: cachemgrpasswd
DEFAULT: none
LOC: Config.passwd_list
DOC_START
	Specify passwords for cachemgr operations.

	Usage: cachemgr_passwd password action action ...

	Some valid actions are (see cache manager menu for a full list):
		5min
		60min
		asndb
		authenticator
		cbdata
		client_list
		comm_incoming
		config *
		counters
		delay
		digest_stats
		dns
		events
		filedescriptors
		fqdncache
		histograms
		http_headers
		info
		io
		ipcache
		mem
		menu
		netdb
		non_peers
		objects
		pconn
		peer_select
		redirector
		refresh
		server_list
		shutdown *
		store_digest
		storedir
		utilization
		via_headers
		vm_objects

	* Indicates actions which will not be performed without a
	  valid password, others can be performed if not listed here.

	To disable an action, set the password to "disable".
	To allow performing an action without a password, set the
	password to "none".

	Use the keyword "all" to set the same password for all actions.

cachemgr_passwd secret shutdown
cachemgr_passwd lesssssssecret info stats/objects
cachemgr_passwd disable all
DOC_END

NAME: store_avg_object_size
COMMENT: (kbytes)
TYPE: kb_size_t
DEFAULT: 13 KB
LOC: Config.Store.avgObjectSize
DOC_START
	Average object size, used to estimate number of objects your
	cache can hold.  See doc/Release-Notes-1.1.txt.  The default is
	13 KB.

store_avg_object_size 13 KB
DOC_END

NAME: store_objects_per_bucket
TYPE: int
DEFAULT: 50
LOC: Config.Store.objectsPerBucket
DOC_START
	Target number of objects per bucket in the store hash table.
	Lowering this value increases the total number of buckets and
	also the storage maintenance rate.  The default is 20.

store_objects_per_bucket 50
DOC_END

NAME: client_db
COMMENT: on|off
TYPE: onoff
DEFAULT: on
LOC: Config.onoff.client_db
DOC_START
	If you want to disable collecting per-client statistics, then
	turn off client_db here.

client_db on
DOC_END


NAME: netdb_low
TYPE: int
DEFAULT: 900
LOC: Config.Netdb.low
DOC_NONE

NAME: netdb_high
TYPE: int
DEFAULT: 1000
LOC: Config.Netdb.high
DOC_START
	The low and high water marks for the ICMP measurement
	database.  These are counts, not percents.  The defaults are
	900 and 1000.  When the high water mark is reached, database
	entries will be deleted until the low mark is reached.

netdb_low 900
netdb_high 1000
DOC_END


NAME: netdb_ping_period
TYPE: time_t
LOC: Config.Netdb.period
DEFAULT: 5 minutes
DOC_START
	The minimum period for measuring a site.  There will be at
	least this much delay between successive pings to the same
	network.  The default is five minutes.

netdb_ping_period 5 minutes
DOC_END


NAME: query_icmp
COMMENT: on|off
TYPE: onoff
DEFAULT: off
LOC: Config.onoff.query_icmp
DOC_START
	If you want to ask your peers to include ICMP data in their ICP
	replies, enable this option.

	If your peer has configured Squid (during compilation) with
	'--enable-icmp' then that peer will send ICMP pings to origin server
	sites of the URLs it receives.  If you enable this option then the
	ICP replies from that peer will include the ICMP data (if available).
	Then, when choosing a parent cache, Squid will choose the parent with
	the minimal RTT to the origin server.  When this happens, the
	hierarchy field of the access.log will be
	"CLOSEST_PARENT_MISS".  This option is off by default.

query_icmp off
DOC_END

NAME: test_reachability
COMMENT: on|off
TYPE: onoff
DEFAULT: off
LOC: Config.onoff.test_reachability
DOC_START
	When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH
	instead of ICP_MISS if the target host is NOT in the ICMP
	database, or has a zero RTT.

test_reachability off
DOC_END

NAME: buffered_logs
COMMENT: on|off
TYPE: onoff
DEFAULT: off
LOC: Config.onoff.buffered_logs
DOC_START
	Some log files (cache.log, useragent.log) are written with
	stdio functions, and as such they can be buffered or
	unbuffered.  By default they will be unbuffered. Buffering them
	can speed up the writing slightly (though you are unlikely to
	need to worry).
buffered_logs off
DOC_END

NAME: reload_into_ims
IFDEF: HTTP_VIOLATIONS
COMMENT: on|off
TYPE: onoff
DEFAULT: off
LOC: Config.onoff.reload_into_ims
DOC_START
	When you enable this option, client no-cache or ``reload''
	requests will be changed to If-Modified-Since requests.
	Doing this VIOLATES the HTTP standard.  Enabling this
	feature could make you liable for problems which it
	causes.
	
	see also refresh_pattern for a more selective approach.

	This option may be disabled by using --disable-http-violations
	with the configure script.
reload_into_ims off
DOC_END

NAME: always_direct
TYPE: acl_access
LOC: Config.accessList.AlwaysDirect
DEFAULT: none
DOC_START
	Usage: always_direct allow|deny [!]aclname ...

	Here you can use ACL elements to specify requests which should
	ALWAYS be forwarded directly to origin servers.  For example,
	to always directly forward requests for local servers use
	something like:

		acl local-servers dstdomain my.domain.net
		always_direct allow local-servers

	To always forward FTP requests directly, use

		acl FTP proto FTP
		always_direct allow FTP

	NOTE: There is a similar, but opposite option named
	'never_direct'.  You need to be aware that "always_direct deny
	foo" is NOT the same thing as "never_direct allow foo".  You
	may need to use a deny rule to exclude a more-specific case of
	some other rule.  Example:

		acl local-external dstdomain external.foo.net
		acl local-servers dstdomain  foo.net
		always_direct deny local-external
		always_direct allow local-servers

	This option replaces some v1.1 options such as local_domain
	and local_ip.
DOC_END

NAME: never_direct
TYPE: acl_access
LOC: Config.accessList.NeverDirect
DEFAULT: none
DOC_START
	Usage: never_direct allow|deny [!]aclname ...

	never_direct is the opposite of always_direct.  Please read
	the description for always_direct if you have not already.

	With 'never_direct' you can use ACL elements to specify
	requests which should NEVER be forwarded directly to origin
	servers.  For example, to force the use of a proxy for all
	requests, except those in your local domain use something like:

		acl local-servers dstdomain foo.net
		acl all src 0.0.0.0/0.0.0.0
		never_direct deny local-servers
		never_direct allow all
	
	or if squid is inside a firewall and there is local intranet
	servers inside the firewall then use something like:

		acl local-intranet dstdomain foo.net
		acl local-external dstdomain external.foo.net
		always_direct deny local-external
		always_direct allow local-intranet
		never_direct allow all
	
	This option replaces some v1.1 options such as inside_firewall
	and firewall_ip.
DOC_END

NAME: anonymize_headers
TYPE: http_header
LOC: Config.anonymize_headers
DEFAULT: none
DOC_START
        Usage: anonymize_headers allow|deny header_name ...

	This option replaces the old 'http_anonymizer' option with
	something that is much more configurable.  You may now
	specify exactly which headers are to be allowed, or which
	are to be removed from outgoing requests.

	There are two methods of using this option.  You may either
	allow specific headers (thus denying all others), or you
	may deny specific headers (thus allowing all others).

	For example, to achieve the same behaviour as the old
	'http_anonymizer standard' option, you should use:

		anonymize_headers deny From Referer Server
		anonymize_headers deny User-Agent WWW-Authenticate Link
		
	Or, to reproduce the old 'http_anonymizer paranoid' feature
	you should use:

		anonymize_headers allow Allow Authorization Cache-Control
		anonymize_headers allow Content-Encoding Content-Length
		anonymize_headers allow Content-Type Date Expires Host
		anonymize_headers allow If-Modified-Since Last-Modified
		anonymize_headers allow Location Pragma Accept Charset
		anonymize_headers allow Accept-Encoding Accept-Language
		anonymize_headers allow Content-Language Mime-Version
		anonymize_headers allow Retry-After Title Connection
		anonymize_headers allow Proxy-Connection

	NOTE: You can not mix "allow" and "deny".  All 'anonymize_headers'
	lines must have the same second argument.

	By default, all headers are allowed (no anonymizing is
	performed).

anonymize_headers
DOC_END

NAME: fake_user_agent
TYPE: eol
LOC: Config.fake_ua
DEFAULT: none
DOC_START
	If you filter the User-Agent header with 'anonymize_headers' it
	may cause some Web servers to refuse your request.  Use this to
	fake one up.  For example:

	fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)
	(credit to Paul Southworth pauls@etext.org for this one!)

fake_user_agent none
DOC_END

NAME: icon_directory
TYPE: string
LOC: Config.icons.directory
DEFAULT: @DEFAULT_ICON_DIR@
DOC_START
	Where the icons are stored. These are normally kept in
	@DEFAULT_ICON_DIR@
DOC_END

NAME: error_directory
TYPE: string
LOC: Config.errorDirectory
DEFAULT: @DEFAULT_ERROR_DIR@
DOC_START
	If you wish to create your own versions of the default
	(English) error files, either to customise them to suit your
	language or company copy the template english files to another
	directory and point this tag at them.
DOC_END

NAME: minimum_retry_timeout
COMMENT: (seconds)
TYPE: time_t
LOC: Config.retry.timeout
DEFAULT: 5 seconds
DOC_START
	This specifies the minimum connect timeout, for when the
	connect timeout is reduced to compensate for the availability
	of multiple IP addresses.

	When a connection to a host is initiated, and that host has
	several IP addresses, the default connection timeout is reduced
	by dividing it by the number of addresses.  So, a site with 15
	addresses would then have a timeout of 8 seconds for each
	address attempted.  To avoid having the timeout reduced to the
	point where even a working host would not have a chance to
	respond, this setting is provide