externalsupport

OPTIONS FOR EXTERNAL SUPPORT PROGRAMS

External support programs could be viewed as a simple means of modular design, allowing third parties to write modules to improve the features of Squid. That's being said, some of Squid's standard functionality is also provided by helper programs. The standard helper programs include dnsserver, pinger, and several authentication modules. Third party modules include redirectors, ad blockers, and additional authentication modules.

ftp_user

ftp_list_width

ftp_passive

ftp_sanitycheck

check_hostnames

cache_dns_program

dns_children

dns_retransmit_interval

dns_timeout

dns_defnames

dns_nameservers

hosts_file

diskd_program

unlinkd_program

pinger_program

redirect_program

redirect_children

redirect_concurrency

redirect_rewrites_host_header

redirector_access

auth_param

authenticate_cache_garbage_interval

authenticate_ttl

authenticate_ip_ttl

external_acl_type

Recommended minimum configuration

 

TAG NAME

ftp_user

Description

This is the email address Squid uses to login to remote FTP servers anonymously

Build Option

Default

Usage

ftp_user username

Default

ftp_user squid@

Synopsis

For login to some servers, an anonymous email address is to be used. This tag is used to provide the anonymous email address for the login. This can simply be a user name followed by an @ symbol, which your domain name can be automatically attached to. Or it can be a full email address. This should be something reasonable for your domain, such as [email protected], or in the domainless case first mentioned, squid@, which happens to be the default for this option.

Arguments

username

User name to be used while login

Example(s)
ftp_user [email protected]

 

TAG NAME

ftp_list_width

Description

The column width for auto-generated Web pages of FTP sites queried through Squid when Squid is in forward proxy
mode

Build Option

Default

Usage

ftp_list_width number

Default

ftp_list_width 32

Synopsis

This tag gives some control over how Squid formats the resulting file lists. Squid provides limited FTP proxy features to allow browsers (even older, non-FTP aware browsers) to communicate with FTP servers.

Arguments

number

Column width

Example(s)
ftp_list_width 48

 

TAG NAME

ftp_passive

Description

If your firewall does not allow Squid to use passive connections, then turn off this option

Build Option

Default

Usage

ftp_passive on|off

Default

ftp_passive on

Synopsis
Enable or disable passive connections.

Arguments

on/off

Enable or disable this option

 

TAG NAME

ftp_sanitycheck

Description

Squid performs sanity checks of the addresses of FTP data connections ensure the data connection is to the requested
server

Build Option

Default

Usage

ftp_sanitycheck on|off

Default

ftp_sanitycheck on

Synopsis

For security and data integrity reasons Squid by default performs sanity checks of the addresses of FTP data connections ensure the data connection is to the requested server. If you need to allow FTP connections to servers using another IP address for the data connection then turn this off.

Arguments

on/off

Enable or disable sanity checks

 

TAG NAME

check_hostnames

Description

For security and stability reasons Squid by default checks hostnames for Internet standard RFC compliance

Build Option

Default

Usage

check_hostnames on|off

Default

check_hostnames on

Synopsis
If you want Squid not to perform these checks then turn this directive off.

Arguments

on/off

Enable or disable hostname checks

 

TAG NAME

cache_dns_program

Description

This helper program is used for DNS resolution

Build Option

--disable-internal-dns

Usage

cache_dns_program program

Default

cache_dns_program /usr/local/Squid/libexec/dnsserver

Synopsis

Squid requires a non-blocking resolver for its queries, an external program called dnsserver is included in the standard distribution. This tag is used to specify the path for the external dnsserver program.

Arguments

program

Path and the external dnsserver program

Example(s)
cache_dns_program /usr/local/libexec/dnsserver

 

TAG NAME

dns_children

Description

The number of processes spawn to service DNS name lookups

Build Option

Default

Usage

dns_children number (1 to 32)

Default

dns_children 5

Synopsis

Specifies the number of external DNS resolver processes that will be started in order to serve requests. The default value of five is enough for many networks, however, if your Squid serves a large number of users, this value may need to be increased to avoid errors. However, increasing the number of processes also increases the load on system resources and may actually hinder performance if set too high. More than 10 is probably overkill.

Arguments

number

Number of dns children program

Example(s)
dns_children 10

 

TAG NAME

dns_retransmit_interval

Description

Defines the initial retransmit time interval for DNS queries

Build Option

Default

Usage

dns_retransmit_interval time-units

Default

dns_retransmit_interval 5 seconds

Synopsis
The interval is doubled each time all configured DNS servers have been tried.

Arguments

time-units

Retransmit time interval

Example(s)
dns_retransmit_interval 15 seconds

 

TAG NAME

dns_timeout

Description

This defines the DNS query timeout

Build Option

Default

Usage

dns_timeout time-units

Default

dns_timeout 5 minutes

Synopsis
If no response is received to a DNS query within this time then all DNS servers for the queried domain is assumed to be unavailable.

Arguments

time-units

DNS timeout period

Example(s)
dns_timeout 10 minutes

 

TAG NAME

dns_defnames

Description

Enable/disable the dnsserver to add the local domain name to single component host names

Build Option

Default

Usage

dns_defnames on|off

Default

dns_defnames off

Synopsis

Normally the 'dnsserver' disables the RES_DEFNAMES resolver option (see res_init(3)). This prevents caches in a hierarchy from interpreting single-component hostnames locally. To allow dnsserver to handle single-component names, enable this option.

Arguments

on/off

Enable or disable this option

 

TAG NAME

dns_nameservers

Description

Use this if you want to specify a list of DNS name servers (IP addresses) to use

Build Option

Default

Usage

dns_nameservers ip_address

Default

none

Synopsis

Normally defaults to resolve.conf, which simply means that Squid's parent DNS servers will be drawn from the /etc/resolve.conf file found on the system Squid runs on. It is possible to select other DNS servers if needed, for example to choose a more local caching DNS server, or a remote internet connected server.

Arguments

ip_address

IP address of the dns servers

Example(s)
dns_nameservers 10.0.0.1 192.172.0.4

 

TAG NAME

hosts_file

Description

Defines the location of the host-local IP name-address associations database

Build Option

Default

Usage

host_file path/filename

Default

hosts_file /etc/hosts

Synopsis
For Unix and Linux system this file is located at /etc/hosts

Arguments

path

Path to the file that contains the ip addresses

filename

File that contains the ip addresses

Example(s)
hosts_file /hosts

 

TAG NAME

diskd_program

Description

Specifies the location of the diskd executable

Build Option

Default

Usage

diskd_program path/filename

Default

diskd_program /usr/local/Squid/libexec/diskd

Synopsis
This tag is used to specify the location where diskd program is located

Note: This is only useful if you have compiled in diskd as one of the store io modules.

Arguments

path

Path where diskd program is located

filename

File that performs diskd operation

Example(s)
diskd_program /usr/local/libexec/diskd

 

TAG NAME

unlinkd_program

Description

Specifies the location where executable for file deletion process is stored

Build Option

Default

Usage

unlinkd_program path/filename

Default

unlinkd_program /usr/local/Squid/libexec/unlinkd

Synopsis
The name of the helper program that deletes, or unlinks old files in the cache to make room for newer objects.

Arguments

path

Path where the program is located

filename

File that performs the specified operation

Example(s)
unlinkd_program /usr/local/libexec/unlinkd

 

TAG NAME

pinger_program

Description

Specifies the location of the executable for the pinger process

Build Option

--enable-icmp

Usage

pinger_program path/filename

Default

pinger_program /usr/local/Squid/libexec/pinger

Synopsis

An external program that provides Squid with ICMP RTT information so that it can more effectively choose between multiple remote parent caches for request fulfillment.

Arguments

path

Path of the pinger executable program

filename

File that performs the pinger process

Example(s)
pinger_program /usr/local/libexec/pinger

 

TAG NAME

redirect_program

Description

Specifies the location of the executable for the URL redirector

Build Option

Default

Usage

redirect_program path/redirector

Default

none

Synopsis
This provides a method to export a request to an external program, and then to import that programs response and act as though the client sent the resulting request. To configure a redirector, enter the path to the redirector and the redirector filename in this tag. By default, a redirector is not used.

Arguments

path

Location of the redirector program

redirector

Executable file that performs the redirection process

Example(s)
redirect_program /usr/local/squirm/bin/squirm

 

TAG NAME

redirect_children

Description

Specifies the number of redirector processes to spawn

Build Option

Default

Usage

redirect_children number

Default

redirect_children 5

Synopsis
For the redirector program, this defines the number of redirector process to spawn. If you start too few Squid will have to wait for them to process a backlog of URLs, slowing it down. If you start too many they will use RAM and other system resources.

Arguments

number

Number of redirector process to spawn

Example(s)
redirect_children 15

 

TAG NAME

redirect_concurrency

Description

Defines the number of requests each redirector helper can handle in parallel

Build Option

Default

Usage

redirect_concurrency number

Default

redirect_concurrency 0

Synopsis
Defaults to 0 which indicates that the redirector is a old-style single threaded redirector.

Arguments

number

Number of requests to be handle

Example(s)
redirect_concurrency 10

 

 

TAG NAME

redirect_rewrites_host_header

Description

Enable/disable Squid rewriting any host header in redirected requests

Build Option

Default

Usage

redirect_rewrites_host_header on|off

Default

redirect_rewrites_host_header on

Synopsis
By default Squid rewrites any host header in redirected requests. If you want Squid not to perform this operation disable this option.

Note: If you are running a accelerator then this may not be a wanted effect of a redirector

Arguments

on/off

Enable /disable rewriting of host headers

TAG NAME

redirector_access

Description

Used to define the access lists which are to be redirected to the rediretor process

Build Option

Default

Usage

redirector_access allow|deny acl ...

Default

none

Synopsis
Some access lists which does not need redirection can be denied using this tag. By default all requests are sent to the redirector process.

Arguments

allow/deny

Allow or deny the access list

acl

List that to be allowed or denied

Example(s)
acl me src 172.16.1.35
redirector_access allow me

TAG NAME

auth_param

Description

Provides an interface to the external authentication interface within Squid

Build Option

Default

Usage

auth_param scheme parameter [setting]

Default

netdb_ping_period 5 minutes

Synopsis
This is used to pass parameters to the various authentication schemes making users to be authenticated in a number of ways. various schemes are explained below.

Scheme

Parameter

Explanation

basic

"program" cmdline

Specify the command for the external authenticator. Such a program reads a line containing "username
password" and replies "OK" or "ERR" in an endless loop. If you use an authenticator, make sure you have 1 acl
of type proxy_auth. By default, the basic authentication sheme is not used unless a program is specified.

If you want to use the traditional proxy authentication, jump over to the ../auth_modules/NCSA directory and
type:
% make
% make install

Then, set this line to something like

auth_param basic program /usr/local/Squid/bin/ncsa_auth /usr/local/Squid/etc/passwd

"children" numberofchildren

The number of authenticator processes to spawn (no default). If you start too few Squid will have to wait for them
to process a backlog of usercode/password verifications, slowing it down. When password verifications are done
via a (slow) network you are likely to need lots of authenticator processes.

auth_param basic children 5

"concurrency" concurrency

The number of concurrent requests the helper can process. The default of 0 is used for helpers who only
supports one request at a time.

auth_param basic concurrency 0

"realm" realmstring

Specifies the realm name which is to be reported to the client for the basic proxy authentication scheme (part of
the text the user will see when prompted their username and password). There is no default.

auth_param basic realm Squid proxy-caching web server

"credentialsttl" timetolive

Specifies how long Squid assumes an externally validated username:password pair is valid for - in other words
how often the helper program is called for that user. Set this low to force revalidation with short lived
passwords. Note that setting this high does not impact your susceptability to replay attacks unless you are
using an one-time password system (such as SecureID). If you are using such a system, you will be
vulnerable to replay attacks unless you also use the max_user_ip ACL in an http_access rule.

digest

"program" cmdline

Specify the command for the external authenticator. Such a program reads a line containing
"username":"realm" and replies with the appropriate H(A1) value base64 encoded. See rfc 2616 for the
definition of H(A1). If you use an authenticator, make sure you have 1 acl of type proxy_auth. By default,
authentication is not used.

If you want to use build an authenticator, jump over to the ../digest_auth_modules directory and choose the
authenticator to use. It's directory type
% make
% make install

Then, set this line to something like

auth_param digest program /usr/local/Squid/bin/digest_auth_pw /usr/local/Squid/etc/digpass

"children" number of children

The number of authenticator processes to spawn (no default). If you start too few Squid will have to wait for
them to process a backlog of H(A1) calculations, slowing it down. When the H(A1) calculations are done via a
(slow) network you are likely to need lots of authenticator processes.

auth_param digest children 5

"realm" realmstring

Specifies the realm name which is to be reported to the client for the digest proxy authentication scheme (part
of the text the user will see when prompted their username and password). There is no default.

auth_param digest realm Squid proxy-caching web server

"nonce_garbage_interval" timeinterval

Specifies the interval that nonces that have been issued to client_agent's are checked for validity.

NTLM

"program" cmdline

Specify the command for the external ntlm authenticator. Such a program reads a line containing the
uuencoded NEGOTIATE and replies with the ntlm CHALLENGE, then waits for the response and answers with
"OK" or "ERR" in an endless loop. If you use an ntlm authenticator, make sure you have 1 acl of type
proxy_auth. By default, the ntlm authenticator_program is not used.

auth_param ntlm program /usr/local/Squid/bin/ntlm_auth

"children" number of children

The number of authenticator processes to spawn (no default). If you start too few Squid will have to wait for
them to process a backlog of credential verifications, slowing it down. When crendential verifications are done
via a (slow) network you are likely to need lots of authenticator processes.

auth_param ntlm children 5

"max_challenge_reuses" number

The maximum number of times a challenge given by a ntlm authentication helper can be reused.
Increasing this number increases your exposure to replay attacks on your network. 0 means use the
challenge only once. (disable challenge caching) See max_ntlm_challenge_lifetime for more information.

auth_param ntlm max_challenge_reuses 0

"max_challenge_lifetime" timespan

The maximum time period that a ntlm challenge is reused over. The actual period will be the minimum of
this time AND the number of reused challenges.

auth_param ntlm max_challenge_lifetime 2 minutes

Note: Once an authentication scheme is fully configured, it can only be shutdown by shutting Squid down and restarting.

Arguments

scheme

One of the above mentioned authentication scheme

parameter

various parameters for the schemes as listed above

Example(s)
auth_param basic program /usr/local/Squid/bin/ncsa_auth /usr/local/Squid/etc/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Recommended minimum configuration

auth_param digest program <uncomment and complete this line>
auth_param digest children 5
auth_param digest realm Squid proxy-caching web server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50

auth_param ntlm program <uncomment and complete this line to activate>
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program <uncomment and complete this line to activate>
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

 

TAG NAME

authenticate_cache_garbage_interval

Description

Defines the time period between garbage collection across the username cache

Build Option

Default

Usage

authenticate_cache_garbage_interval time

Default

authenticate_cache_garbage_interval 1 hour

Synopsis
This tag is used to specify the time period between garbage collection across the username cache.

Arguments

time

Specifies the time period

Example(s)
authenticate_cache_garbage_interval 2 hour

TAG NAME

authenticate_ttl

Description

Defines the time period for user & their credentials stay in the logged user cache since their last request

Build Option

Default

Usage

authenticate_ttl time

Default

authenticate_ttl 1hour

Synopsis
When the defined timeout reaches, then all user credentials that have passed their TTL are removed from memory.

Arguments

time

Time period of credentials stay

Example(s)
authenticate_ttl 2 hour

 

TAG NAME

authenticate_ip_ttl

Description

If you use proxy authentication and the max_user_ip ACL, this tag controls how long Squid remembers the IP
addresses associated with each user

Build Option

Default

Usage

authenticate_ip_ttl time

Default

authenticate_ip_ttl 0 seconds

Synopsis
Use a small value (e.g., 60 seconds) if your users might change addresses quickly, as is the case with dialups. You might be safe using a larger value (e.g., 2 hours) in a corporate LAN environment with relatively static address assignments.

Arguments

time

Time period for which the ip addresses should be remembered

Example(s)
authenticate_ip_ttl 10 seconds
TAG NAME external_acl_type
Description This tag defines external acl classes using a helper program to look up the status
Build Option Default
Usage external_acl_type name [options] FORMAT.. path/helper [helper arguments..]
Default none

Synopsis

This tag defines how the external acl classes using a helper program should look up the status.

Arguments

name  External acl type name
path Path to the external helper program
helper Helper program

Options:

ttl=n TTL in seconds for cached results (defaults to 3600 for 1 hour)
negative_ttl=n TTL for cached negative lookups (default same as ttl)
children=n  Number of acl helper processes spawn to service external acl lookups of this type.
concurrency=n concurrency level per process. Use 0 for old style helpers who can only process a single request at a time.
cache=n result cache size, 0 is unbounded (default)
grace=n Percentage remaining of TTL where a refresh of a cached entry should be initiated without needing to wait 
for a new reply. (default 0 for no grace period)

FORMAT specifications:

%LOGIN Authenticated user login name
%IDENT Ident user name
%SRC Client IP
%SRCPORT Client source port
%DST Requested host
%PROTO Requested protocol
%PORT Requested port
%PATH Requested URL path
%METHOD Request method
%MYADDR Squid interface address
%MYPORT Squid http_port number
%USER_CERT_xx SSL User certificate attribute xx
%USER_CA_xx SSL User certificate CA attribute xx
%Header HTTP request header
%Hdr:member HTTP request header list member
%Hdr:;member HTTP request header list member using ; as list separator. ; can be any non-alphanumeric character.

In addition, any string specified in the referencing acl will also be included in the helper request line, after the specified formats (see the "acl external" directive)

The helper receives lines per the above format specification, and returns lines starting with OK or ERR indicating the validity of the request and optionally followed by additional keywords with more details.

General result syntax: OK/ERR keyword=value ...