NETWORK PARAMETERS
Network parameters control network configuration, e.g. communication ports, secure network access and options, SSL options, inter-cache communication, multicast ICP queries etc.
| TAG NAME |
http_port |
|
Description
|
Port where Squid will listen for clients http requests
|
|
Build Option
|
Default
|
|
Usage
|
http_port port [options]
http_port hostname:port [options]
http_port ip_adderss:port [options]
|
|
Default
|
none
|
|
Synopsis
This parameter allows the user to define the address on which Squid will listen for client's http requests. This is a required parameter, and there are no defaults.
Without this configuration, Squid will never start.
Arguments
|
port
|
Port to which Squid will bind the socket
|
|
hostname
|
hostname to which Squid will bind the socket
|
|
ip_address
|
ip_address to which Squid will bind the socket
|
When a hostname or IP address is specified (as shown in variations 2 and 3 above), Squid binds the socket to that specific address.
Note: The http_port parameter may be specified multiple times, with different addresses each time. This will cause Squid to listen on multiple ports.
Options are arguments that further control the behavior of the Squid proxy. The supported values are explained in the table below:
|
Options
|
Functions
|
|
transparent
|
Support for transparent interception of outgoing requests without browser settings
|
|
accel
|
Accelerator mode. Also needs at least one of vhost/vport/defaultsite.
|
|
defaultsite=
|
Main web site name for accelerators. Implies accel.
|
|
vhost
|
Accelerator using the Host header for virtual domain support.
|
|
vport
|
Accelerator using the Host header for virtual domain support.
|
|
allow-direct
|
Allow direct forwarding in accelerator mode.
|
|
vport=
|
As above, but uses specified port number rather than the http_port number.
|
|
urlgroup=
|
Default urlgroup to mark requests with.
|
|
protocol=
|
Protocol to reconstruct accelerated requests with. Defaults to http.
|
|
no-connection-auth
|
Prevent forwarding of Microsoft connection oriented authentication.
|
|
act-as-origin
|
Act is if this Squid is the origin server.
|
|
http11
|
Enables HTTP/1.1 support to clients
|
|
name=
|
Specifies a internal name for the port.
|
|
tcpkeepalive=
|
Enable TCP keepalive probes of idle connections
|
|
tproxy
|
Support Linux TPROXY for spoofing outgoing connections using the client IP address.
|
Example(s)
http_port 3128
http_port 172.16.1.53:3300
http_port 172.16.1.53:80 accel defaultsite=visolve.com
http_port 3128 transparent
|
| TAG NAME |
ssl_unclean_shutdown |
|
Description
|
Used to handle bugs in browsers which does not fully support SSL
|
|
Build Option
|
--enable-ssl
|
|
Usage
|
ssl_unclean_shutdown on|off
|
|
Default
|
ssl_unclean_shutdown off
|
|
Synopsis
Some browsers like MSIE will indicate bugs during SSL shutdown. During such conditions, making this tag "on" will handle those bugs.
Arguments
|
on/off
|
Enable or disable ssl_unclean_shutdown
|
|
| TAG NAME |
ssl_engine |
|
Description
|
Defines Hardware SSL acceleration which is to be used
|
|
Build Option
|
--enable-ssl
|
|
Usage
|
ssl_engine engine
|
|
Default
|
none
|
|
Synopsis
The openssl engine to use. For Example(s), you will need to set this if you would like to use hardware SSL acceleration.
Arguments
|
engine
|
Hardware SSL accelerator to be used
|
|
| TAG NAME |
sslproxy_client_certificate |
|
Description
|
Used to define clients SSL certificate for proxying https:// URLs
|
|
Build Option
|
--enable-ssl
|
|
Usage
|
sslproxy_client_certificate path/certificatefile
|
|
Default
|
none
|
|
Synopsis
When proxying https:// URLs requests, this tag defines the clients SSL certificate path and the certificate file to be used for verification.
Arguments
|
path/certificatefile
|
Path and the file that holds the clients SSL certificate
|
Example(s)
sslproxy_client_certificate /usr/local/ssl/cert.pem
|
|
| TAG NAME |
sslproxy_client_key |
|
Description
|
Defines clients SSL certificate key for proxying https:// URLs
|
|
Build Option
|
--enable-ssl
|
|
Usage
|
sslproxy_client_key path/key.pem
|
|
Default
|
none
|
|
Synopsis
When Squid is used as a proxy server for https:// URLs requests, this tag defines the clients SSL certificate key's path and the file that holds the key.
Arguments
|
path/key.pem
|
Path and the file that contains the clients certificate key
|
Example(s)
sslproxy_client_key /usr/local/ssl/certkey.pem
|
|
| TAG NAME |
sslproxy_version |
|
Description
|
Defines the SSL version level to be used when proxying https:// URLs
|
|
Build Option
|
--enable-ssl
|
|
Usage
|
sslproxy_version version
|
|
Default
|
sslproxy_version 1
|
|
Synopsis
When SSL certificate is used for proxying https:// URLs, this tag can be used to define the SSL version level that will be used for handling encrypted
connections.
Arguments
|
version
|
SSL version level
|
Example(s)
sslproxy_version 3
|
|
| TAG NAME |
sslproxy_options |
|
Description
|
This defines the SSL engine options to be used when proxying https:// URLs
|
|
Build Option
|
--enable-ssl
|
|
Usage
|
options option
|
|
Default
|
none
|
|
Synopsis
When proxying https:// URLs, this tag is used to specify various SSL options.
Arguments
Example(s)
sslproxy_options NO_SSLv2
|
|
| TAG NAME |
sslproxy_cipher |
|
Description
|
SSL cipher list to be used when proxying https:// URLs
|
|
Build Option
|
--enable-ssl
|
|
Usage
|
sslproxy_cipher cipher
|
|
Default
|
none
|
|
Synopsis
This tag sets the ciphers on which SSL will decide during the negotiation phase of the SSL connection when proxying https:// URLs
Arguments
|
cipher
|
SSL proxy cipher to be used
|
|
|
| TAG NAME |
sslproxy_cafile |
|
Description
|
Defines the file that contains CA certificate
|
|
Build Option
|
--enable-ssl
|
|
Usage
|
sslproxy_cafile filename
|
|
Default
|
none
|
|
Synopsis
This tag defines the file that contains CA certificate to be used for verifying server certificates when Squid is used as a proxy server for https://URLs.
Arguments
|
filename
|
File that contains CA certificate
|
Example(s)
sslproxy_cafile /usr/local/ca1.pem
|
|
| TAG NAME |
sslproxy_capath |
|
Description
|
Defines the directory for the file containing CA certificate
|
|
Build Option
|
--enable-ssl
|
|
Usage
|
sslproxy_capath path
|
|
Default
|
none
|
|
Synopsis
While proxying https:// URLs, this tag defines the path where the CA certificate file to be used when verifying server certificates is located.
Arguments
|
path
|
Path where CA certificate file is located
|
Example(s)
sslproxy_capath /usr/local/
|
|
| TAG NAME |
sslproxy_flags |
|
Description
|
Specifies the way how SSL should act while proxying https:// URLs
|
|
Build Option
|
--enable-ssl
|
|
Usage
|
sslproxy_flags flags
|
|
Default
|
none
|
|
Synopsis
When Squid is used as a proxy server for https://URLs, this tag is used to defines the nature of SSL's behaviour.
Arguments
|
Flags
|
Meaning
|
|
DONT_VERIFY_PEER
|
Accept certificates even if they fail to verify
|
|
NO_DEFAULT_CA
|
Don't use the default CA list built in to OpenSSL
|
|
NO_SESSION_REUSE
|
Don't allow for session reuse. Each connection will result in a new SSL session.
|
|
VERIFY_CRL
|
Verify CRL lists when accepting client certificates
|
|
VERIFY_CRL_ALL
|
Verify CRL lists for all certificates in the client certificate chain
|
Example(s)
sslproxy_flags NO_DEFAULT_CA
|
|
| TAG NAME |
sslpassword_program |
|
Description
|
Specify a program used for entering SSL key passphrases when using encrypted SSL certificate keys.
|
|
Build Option
|
--enable-ssl
|
|
Usage
|
sslpassword_program program
|
|
Default
|
none
|
|
Synopsis
Specify a program used for entering SSL key passphrases when using encrypted SSL certificate keys. If not specified keys must either be unencrypted, or Squid started with the -N option to allow it to query interactively for the passphrase.
Arguments
|
program
|
Program used for entering the SSL key passphrase
|
Example(s)
sslpassword_program /usr/local/program
|
|
| TAG NAME |
icp_port |
|
Description
|
Port number through which Squid sends and receives ICP queries
|
|
Build Option
|
Default
|
|
Usage
|
icp_port portnumber
|
|
Default
|
icp_port 0
|
|
Synopsis
Defines the port for ICP packets to be sent and received from neighbour caches.
Arguments
|
portnumber
|
Port to which Squid will bind the socket
|
Example(s)
icp_port 3030
|
|
| TAG NAME |
htcp_port |
|
Description
|
Port number through which Squid sends and receives HTCP queries
|
|
Build Option
|
--enable-htcp
|
|
Usage
|
htcp_port portnumber
|
|
Default
|
htcp_port 4827
|
|
Synopsis
This tag defines the port address through which HTCP packets will be sent and received from neighbour caches.
Arguments
|
portnumber
|
Port to which Squid will bind the socket
|
Example(s)
htcp_port 2134
|
|
| TAG NAME |
mcast_groups |
|
Description
|
Defines list of multicast groups which your server should join to receive multicasted ICP queries
|
|
Build Option
|
Default
|
|
Usage
|
mcast_groups ip_address
|
|
Default
|
none
|
|
Synopsis
Multicast is essentially the ability to send one IP packet to multiple receivers. Your server will join to the multicat groups defined by the IP Addresses.
This option is to be set only if you want to RECEIVE multicast queries.
ICP replies are always sent via unicast, so this option does not affect whether or not you will receive replies from multicast group members.
Arguments
|
ip_address
|
ip_address of the multicast groups to join
|
Example(s)
mcast_groups 239.128.16.128 224.0.1.20
|
|
| TAG NAME |
udp_incoming_address, udp_outgoing_address |
|
Description
|
Defines the address for sending and receiving ICP packets
|
|
Build Option
|
Default
|
|
Usage
|
udp_incoming_address ip_address
udp_outgoing_address ip_address
|
|
Default
|
udp_incoming_address 0.0.0.0
udp_outgoing_address 255.255.255.255
|
|
Synopsis
These tags defines the interface through which ICP packets are sent and received. The default behavior is to not bind to any specific address.
A udp_incoming_address value of 0.0.0.0 indicates that Squid should listen for UDP messages on all available interfaces.
If udp_outgoing_address is set to 255.255.255.255 (the default) then it will use the same socket as udp_incoming_address. Only change this if you want to have ICP queries sent using another address than where this Squid listens for ICP queries from other caches.
Arguments
|
ip_address
|
ip_address to which Squid binds the ICP socket
|
Note: udp_incoming_address and udp_outgoing_address cannot have the same value since they both use port 3130.
Example(s)
udp_incoming_address 192.168.1.35
udp_outgoing_address 192.168.150.6
|
|
+1 (408)-850-2243
[email protected]
