OPTIONS FOR EXTERNAL SUPPORT PROGRAMS

External support programs could be viewed as a simple means of modular design, allowing third parties to write modules to improve the features of Squid. That's being said, some of Squid's standard functionality is also provided by helper programs. The standard helper programs include dnsserver, pinger, and several authentication modules. Third party modules include redirectors, ad blockers, and additional authentication modules.

ftp_user	ftp_list_width	ftp_passive	ftp_sanitycheck	ftp_telnet_protocol
check_hostnames	allow_underscore	cache_dns_program	dns_children	dns_retransmit_interval
dns_timeout	dns_defnames	dns_nameservers	hosts_file	diskd_program
unlinkd_program	pinger_program	url_rewrite_program	url_rewrite_children	url_rewrite_concurrency
url_rewrite_host_header	url_rewrite_access	location_rewrite_program	location_rewrite_children	location_rewrite_concurrency
location_rewrite_access	auth_param	authenticate_cache_garbage_interval	authenticate_ttl	authenticate_ip_ttl
external_acl_type
Recommended minimum configuration

TAG NAME	ftp_user
Description	This is the email address Squid uses to login to remote FTP servers anonymously
Build Option	Default
Usage	ftp_user username
Default	ftp_user squid@

Synopsis

For login to some servers, an anonymous email address is to be used. This tag is used to provide the anonymous email address for the login. This can simply be a user name followed by an @ symbol, which your domain name can be automatically attached to. Or it can be a full email address. This should be something reasonable for your domain, such as [email protected], or in the domainless case first mentioned, squid@, which happens to be the default for this option.

Arguments

username

User name to be used while login

Example(s)
ftp_user [email protected]

TAG NAME	ftp_list_width
Description	The column width for auto-generated Web pages of FTP sites queried through Squid when Squid is in forward proxy mode
Build Option	Default
Usage	ftp_list_width number
Default	ftp_list_width 32

Synopsis

This tag gives some control over how Squid formats the resulting file lists. Squid provides limited FTP proxy features to allow browsers (even older, non-FTP aware browsers) to communicate with FTP servers.

Arguments

number

Column width

Example(s)
ftp_list_width 48

TAG NAME	ftp_passive
Description	If your firewall does not allow Squid to use passive connections, then turn off this option
Build Option	Default
Usage	ftp_passive on\|off
Default	ftp_passive on

Synopsis
Enable or disable passive connections.

Arguments

on/off

Enable or disable this option

TAG NAME	ftp_sanitycheck
Description	Squid performs sanity checks of the addresses of FTP data connections ensure the data connection is to the requested server
Build Option	Default
Usage	ftp_sanitycheck on\|off
Default	ftp_sanitycheck on

Synopsis

For security and data integrity reasons Squid by default performs sanity checks of the addresses of FTP data connections ensure the data connection is to the requested server. If you need to allow FTP connections to servers using another IP address for the data connection then turn this off.

Arguments

on/off

Enable or disable sanity checks

TAG NAME	ftp_telnet_protocol
Description	Allows to use the telnet protocol as transport channel for the control connection.
Build Option	Default
Usage	ftp_telnet_protocol on\|off
Default	ftp_telnet_protocol on

Synopsis

The FTP protocol is officially defined to use the telnet protocol as transport channel for the control connection. However, many implementations are broken and does not respect this aspect of the FTP protocol.

If there is any trouble accessing files with ASCII code 255 in the path or similar problems involving this ASCII code you can try setting this directive to off. If that helps, report to the operator of the FTP server in question that their FTP server is broken and does not follow the FTP standard.

Arguments

on/off

Enable or disable telnet protocol as transport channel

TAG NAME	check_hostnames
Description	For security and stability reasons Squid by default checks hostnames for Internet standard RFC compliance
Build Option	Default
Usage	check_hostnames on\|off
Default	check_hostnames on

Synopsis
If you want Squid not to perform these checks then turn this directive off.
If this directive is set to off, then squid disable the hostname validity/sanity checks before trying to look them up in DNS.

Arguments

on/off

Enable or disable hostname checks

TAG NAME	allow_underscore
Description	If it is enabled, the underscore character is allowed in the Internet Hostnames
Build Option	Default
Usage	allow_underscore on\|off
Default	allow_underscore on

Synopsis
Underscore character is strictly not allowed in Internet hostnames but nevertheless used by many sites. Set this to off if Squid sould be strict about the standard.

Arguments

on/off

Enable or disable underscore checks in URL

TAG NAME	cache_dns_program
Description	This helper program is used for DNS resolution
Build Option	--disable-internal-dns
Usage	cache_dns_program program
Default	cache_dns_program /usr/local/Squid/libexec/dnsserver

Synopsis

Squid requires a non-blocking resolver for its queries, an external program called dnsserver is included in the standard distribution. This tag is used to specify the path for the external dnsserver program.

Arguments

program

Path and the external dnsserver program

Example(s)
cache_dns_program /usr/local/libexec/dnsserver

TAG NAME	dns_children
Description	The number of processes spawn to service DNS name lookups
Build Option	Default
Usage	dns_children number (1 to 32)
Default	dns_children 5

Synopsis

Specifies the number of external DNS resolver processes that will be started in order to serve requests. The default value of five is enough for many networks, however, if your Squid serves a large number of users, this value may need to be increased to avoid errors. However, increasing the number of processes also increases the load on system resources and may actually hinder performance if set too high. More than 10 is probably overkill.

Arguments

number

Number of dns children program

Example(s)
dns_children 10

TAG NAME	dns_retransmit_interval
Description	Defines the initial retransmit time interval for DNS queries
Build Option	Default
Usage	dns_retransmit_interval time-units
Default	dns_retransmit_interval 5 seconds

Synopsis
The interval is doubled each time all configured DNS servers have been tried.

Arguments

time-units

Retransmit time interval

Example(s)
dns_retransmit_interval 15 seconds

TAG NAME	dns_timeout
Description	This defines the DNS query timeout
Build Option	Default
Usage	dns_timeout time-units
Default	dns_timeout 5 minutes

Synopsis
If no response is received to a DNS query within this time then all DNS servers for the queried domain is assumed to be unavailable.

Arguments

time-units

DNS timeout period

Example(s)
dns_timeout 10 minutes

TAG NAME	dns_defnames
Description	Enable/disable the dnsserver to add the local domain name to single component host names
Build Option	Default
Usage	dns_defnames on\|off
Default	dns_defnames off

Synopsis

Normally the 'dnsserver' disables the RES_DEFNAMES resolver option (see res_init(3)). This prevents caches in a hierarchy from interpreting single-component hostnames locally. To allow dnsserver to handle single-component names, enable this option.

Arguments

on/off

Enable or disable this option

TAG NAME	dns_nameservers
Description	Use this if you want to specify a list of DNS name servers (IP addresses) to use
Build Option	Default
Usage	dns_nameservers ip_address
Default	none

Synopsis

Normally defaults to resolve.conf, which simply means that Squid's parent DNS servers will be drawn from the /etc/resolve.conf file found on the system Squid runs on. It is possible to select other DNS servers if needed, for example to choose a more local caching DNS server, or a remote internet connected server.

Arguments

ip_address

IP address of the dns servers

Example(s)
dns_nameservers 10.0.0.1 192.172.0.4

TAG NAME	hosts_file
Description	Defines the location of the host-local IP name-address associations database
Build Option	Default
Usage	host_file path/filename
Default	hosts_file /etc/hosts

Synopsis
For Unix and Linux system this file is located at /etc/hosts

Arguments

path	Path to the file that contains the ip addresses
filename	File that contains the ip addresses

Example(s)
hosts_file /hosts

TAG NAME	diskd_program
Description	Specifies the location of the diskd executable
Build Option	Default
Usage	diskd_program path/filename
Default	diskd_program /usr/local/Squid/libexec/diskd

Synopsis
This tag is used to specify the location where diskd program is located

Note: This is only useful if you have compiled in diskd as one of the store io modules.

Arguments

path	Path where diskd program is located
filename	File that performs diskd operation

Example(s)
diskd_program /usr/local/libexec/diskd

TAG NAME	unlinkd_program
Description	Specifies the location where executable for file deletion process is stored
Build Option	Default
Usage	unlinkd_program path/filename
Default	unlinkd_program /usr/local/Squid/libexec/unlinkd

Synopsis
The name of the helper program that deletes, or unlinks old files in the cache to make room for newer objects.

Arguments

path	Path where the program is located
filename	File that performs the specified operation

Example(s)
unlinkd_program /usr/local/libexec/unlinkd

TAG NAME	pinger_program
Description	Specifies the location of the executable for the pinger process
Build Option	--enable-icmp
Usage	pinger_program path/filename
Default	pinger_program /usr/local/Squid/libexec/pinger

Synopsis

An external program that provides Squid with ICMP RTT information so that it can more effectively choose between multiple remote parent caches for request fulfillment.

Arguments

path	Path of the pinger executable program
filename	File that performs the pinger process

Example(s)
pinger_program /usr/local/libexec/pinger

TAG NAME	url_rewrite_program [previously called as redirect_program]
Description	Specifies the location of the executable for the URL redirector
Build Option	Default
Usage	url_rewrite_program path/to/rewriter/program
Default	none

Synopsis
Specify the location of the executable for the URL rewriter. Since they can perform almost any function there isn't one included.

For each requested URL, the rewriter will receive a line input with the following format
URL <SP> client_ip "/" fqdn <SP> user <SP> method <SP> urlgroup <NL>

The rewriter may return a rewritten URL. The other components of the request line does not need to be returned (ignored if they are).

The rewriter can also indicate that a client-side redirect should be performed to the new URL. This is done by prefixing the returned URL with "301:" (moved permanently) or 302: (moved temporarily).

It can also return a "urlgroup" that can subsequently be matched in cache_peer_access and similar ACL driven rules. An urlgroup is returned by prefixing the returned url with "!urlgroup!"

By default, a URL rewriter is not used.
Arguments

path	Location of the rewriter program
rewriter	Executable file that performs the rewrite process

Example(s)
url_rewrite_program /usr/local/squirm/bin/squirm

TAG NAME	url_rewrite_children [previously called as redirect_children]
Description	The number of redirector processes to spawn.
Build Option	Default
Usage	url_rewrite_children number
Default	url_rewrite_children 5

Synopsis

The number of redirector processes to spawn. If you start too few Squid will have to wait for them to process a backlog of URLs, slowing it down. If you start too many they will use RAM and other system resources.

Aguments

number

Number of rewrite process to spawn

Example(s)
url_rewrite_children 15

TAG NAME	url_rewrite_concurrency
Description	The number of requests each redirector helper can handle in parallel.
Build Option	Default
Usage	url_rewrite_concurrency number
Default	url_rewrite_concurrency 0

Synopsis
The number of requests each redirector helper can handle in parallel. Defaults to 0 which indicates that the redirector is a old-style singlethreaded redirector.

Arguments

number

Number of requests to be handle

Example(s)
url_rewrite_concurrency 10

TAG NAME	url_rewrite_host_header [previously called as redirect_rewrites_host_header]
Description	Enable/disable Squid rewriting any host header in redirected requests
Build Option	Default
Usage	url_rewrite_host_header on\|off
Default	url_rewrite_host_header on

Synopsis
By default Squid rewrites any Host: header in redirected requests.

Warning: If you are running a accelerator then this may not be a wanted effect of a redirector

Arguments

on/off

Enable /disable rewriting of host headers

TAG NAME	url_rewrite_access [previously called as redirector_access]
Description	Used to define the access lists specifies which requests are sent to the redirector processes.
Build Option	Default
Usage	url_rewrite_access allow\|deny acl ...
Default	none

Synopsis
Some access lists which does not need redirection can be denied using this tag. By default all requests are sent to the redirector process.

Arguments

allow/deny	Allow or deny the access list
acl	List that to be allowed or denied

Example(s)
acl me src 172.16.1.35
url_rewrite_access allow me

TAG NAME	location_rewritre_program
Description	Specify the location of the executable for the Location rewriter used to rewrite server generated redirects.
Build Option	Default
Usage	location_rewrite_program path/to/program
Default	none

Synopsis
Usually used in conjunction with a url_rewrite_program.

For each Location header received the location rewriter will receive one line with the format:
location URL <SP> requested URL <SP> urlgroup <NL>

The rewriter may return a rewritten Location URL or a blank line. The other components of the request line does not need to be returned (ignored if they are).

By default, a Location rewriter is not used.

Arguments

path	Location of the rewriter program
rewriter	Executable file that performs the rewrite process

Example(s)
location_rewrite_program /usr/local/squid/loc_prog

TAG NAME	location_rewrite_children
Description	Specify the number of location rewriting processes to spawn.
Build Option	Default
Usage	location_rewrite_children number
Default	location_rewarite_children 5

Synopsis
The number of location rewriting processes to spawn. If you start too few Squid will have to wait for them to process a backlog of URLs, slowing it down.

If you start too many they will use RAM and other system resources.

Arguments

number

Number of location rewrite process to spawn

Example(s)
location_rewrite_children 15

TAG NAME	location_rewrite_concurrency
Description	The number of requests each Location rewriter helper can handle in parallel.
Build Option	Default
Usage	location_rewrite_children number
Default	location_rewrite_children 0

Synopsis
The number of requests each Location rewriter helper can handle in parallel. Defaults to 0 which indicates that the helper is a old-style singlethreaded helper.

Arguments

number

Number of requests to be handle

Example(s)
location_rewrite_concurrency 10

TAG NAME	location_rewrite_access
Description	Used to define the access lists which are to be redirected to the location rewriting process
Build Option	Default
Usage	location_rewrite_access allow\|deny acl ...
Default	none

Synopsis
Some access lists specifies which requests are sent to location rewriting process. By default all requests are sent to the redirector process.

Arguments

allow/deny	Allow or deny the access list
acl	List that to be allowed or denied

Example(s)
acl me src 172.16.1.35
location_rewrite_access allow me

TAG NAME	auth_param
Description	Provides an interface to the external authentication interface within Squid
Build Option	Default
Usage	auth_param scheme parameter [setting]
Default	netdb_ping_period 5 minutes

Synopsis
This is used to pass parameters to the various authentication schemes making users to be authenticated in a number of ways. various schemes are explained below.

Scheme	Parameter	Explanation
basic	"program" cmdline	Specify the command for the external authenticator. Such a program reads a line containing "username password" and replies "OK" or "ERR" in an endless loop. If you use an authenticator, make sure you have 1 acl of type proxy_auth. By default, the basic authentication sheme is not used unless a program is specified. If you want to use the traditional proxy authentication, jump over to the ../auth_modules/NCSA directory and type: % make % make install Then, set this line to something like auth_param basic program /usr/local/Squid/bin/ncsa_auth /usr/local/Squid/etc/passwd
	"children" numberofchildren	The number of authenticator processes to spawn (no default). If you start too few Squid will have to wait for them to process a backlog of usercode/password verifications, slowing it down. When password verifications are done via a (slow) network you are likely to need lots of authenticator processes. auth_param basic children 5
	"concurrency" concurrency	The number of concurrent requests the helper can process. The default of 0 is used for helpers who only supports one request at a time. auth_param basic concurrency 0
	"realm" realmstring	Specifies the realm name which is to be reported to the client for the basic proxy authentication scheme (part of the text the user will see when prompted their username and password). There is no default. auth_param basic realm Squid proxy-caching web server
	"credentialsttl" timetolive	Specifies how long Squid assumes an externally validated username:password pair is valid for - in other words how often the helper program is called for that user. Set this low to force revalidation with short lived passwords. Note that setting this high does not impact your susceptability to replay attacks unless you are using an one-time password system (such as SecureID). If you are using such a system, you will be vulnerable to replay attacks unless you also use the max_user_ip ACL in an http_access rule.
	"casesensitive" on\|off	Specifies if usernames are case sensitive. Most user databases are case insensitive allowing the same username to be spelled using both lower and upper case letters, but some are case sensitive. auth_param basic casesensitive off
	"blankpassword" on\|off	Specifies if blank passwords should be supported. Defaults to off as there is multiple authentication backends which handles blank passwords as "guest" access.
digest	"program" cmdline	Specify the command for the external authenticator. Such a program reads a line containing "username":"realm" and replies with the appropriate H(A1) value base64 encoded. See rfc 2616 for the definition of H(A1). If you use an authenticator, make sure you have 1 acl of type proxy_auth. By default, authentication is not used. If you want to use build an authenticator, jump over to the ../digest_auth_modules directory and choose the authenticator to use. It's directory type % make % make install Then, set this line to something like auth_param digest program /usr/local/Squid/bin/digest_auth_pw /usr/local/Squid/etc/digpass
	"children" number of children	The number of authenticator processes to spawn (no default). If you start too few Squid will have to wait for them to process a backlog of H(A1) calculations, slowing it down. When the H(A1) calculations are done via a (slow) network you are likely to need lots of authenticator processes. auth_param digest children 5
	"realm" realmstring	Specifies the realm name which is to be reported to the client for the digest proxy authentication scheme (part of the text the user will see when prompted their username and password). There is no default. auth_param digest realm Squid proxy-caching web server
	"nonce_garbage_interval" timeinterval	Specifies the interval that nonces that have been issued to client_agent's are checked for validity.
	"nonce_max_duration" timeinterval	Specifies the maximum length of time a given nonce will be valid for. auth_param digest nonce_max_duration 30 minutes
	"nonce_max_count" number	Specifies the maximum number of times a given nonce can be used. auth_param digest nonce_max_count 50
	"nonce_strictness" on\|off	Determines if squid requires strict increment-by-1 behavior for nonce counts, or just incrementing auth_param digest nonce_strictness off
	"check_nonce_count" on\|off	This directive if set to off can disable the nonce count check completely to work around buggy digest qop implementations in certain mainstream browser versions. auth_param digest check_nonce_count on
	"post_workaround" on\|off	This is a workaround to certain buggy browsers who sends an incorrect request digest in POST requests when reusing the same nonce as acquired earlier in response to a GET request. auth_param digest post_workaround off
NTLM	"program" cmdline	Specify the command for the external ntlm authenticator. Such a program reads a line containing the uuencoded NEGOTIATE and replies with the ntlm CHALLENGE, then waits for the response and answers with "OK" or "ERR" in an endless loop. If you use an ntlm authenticator, make sure you have 1 acl of type proxy_auth. By default, the ntlm authenticator_program is not used. auth_param ntlm program /usr/local/Squid/bin/ntlm_auth
	"children" number of children	The number of authenticator processes to spawn (no default). If you start too few Squid will have to wait for them to process a backlog of creden

externals