Top-Themen

AppleEntwicklungHardwareInternetLinuxMicrosoftMultimediaNetzwerkeOff TopicSicherheitSonstige SystemeVirtualisierungWeiterbildungZusammenarbeit

Aktuelle Themen

Administrator.de FeedbackApache ServerAppleAssemblerAudioAusbildungAuslandBackupBasicBatch & ShellBenchmarksBibliotheken & ToolkitsBlogsCloud-DiensteClusterCMSCPU, RAM, MainboardsCSSC und C++DatenbankenDatenschutzDebianDigitiales FernsehenDNSDrucker und ScannerDSL, VDSLE-BooksE-BusinessE-MailEntwicklungErkennung und -AbwehrExchange ServerFestplatten, SSD, RaidFirewallFlatratesGoogle AndroidGrafikGrafikkarten & MonitoreGroupwareHardwareHosting & HousingHTMLHumor (lol)Hyper-VIconsIDE & EditorenInformationsdiensteInstallationInstant MessagingInternetInternet DomäneniOSISDN & AnaloganschlüsseiTunesJavaJavaScriptKiXtartKVMLAN, WAN, WirelessLinuxLinux DesktopLinux NetzwerkLinux ToolsLinux UserverwaltungLizenzierungMac OS XMicrosoftMicrosoft OfficeMikroTik RouterOSMonitoringMultimediaMultimedia & ZubehörNetzwerkeNetzwerkgrundlagenNetzwerkmanagementNetzwerkprotokolleNotebook & ZubehörNovell NetwareOff TopicOpenOffice, LibreOfficeOutlook & MailPapierkorbPascal und DelphiPeripheriegerätePerlPHPPythonRechtliche FragenRedHat, CentOS, FedoraRouter & RoutingSambaSAN, NAS, DASSchriftartenSchulung & TrainingSEOServerServer-HardwareSicherheitSicherheits-ToolsSicherheitsgrundlagenSolarisSonstige SystemeSoziale NetzwerkeSpeicherkartenStudentenjobs & PraktikumSuche ProjektpartnerSuseSwitche und HubsTipps & TricksTK-Netze & GeräteUbuntuUMTS, EDGE & GPRSUtilitiesVB for ApplicationsVerschlüsselung & ZertifikateVideo & StreamingViren und TrojanerVirtualisierungVisual StudioVmwareVoice over IPWebbrowserWebentwicklungWeiterbildungWindows 7Windows 8Windows 10Windows InstallationWindows MobileWindows NetzwerkWindows ServerWindows SystemdateienWindows ToolsWindows UpdateWindows UserverwaltungWindows VistaWindows XPXenserverXMLZusammenarbeit
GELÖST

Squid Netzwerkproblem

Frage Sicherheit Firewall

Mitglied: mcafeehasser

mcafeehasser (Level 1) - Jetzt verbinden

29.12.2011, aktualisiert 18:43 Uhr, 10141 Aufrufe, 12 Kommentare

Hallo,
.
ich baue gerade eine SBS 2011 Standard Umgebung auf und als Proxy soll der Squid 2.7 für Windows seine Dienste tun.

Nun habe ich das Problem, dass die Clients keine Verbindung zum Squid aufbauen. Am DC, wo der Squid auch läuft, funktioniert der Zugriff.

Wenn ich die Access.log Datei durchforste, sehe ich ausschliesslich die Zugriffe des DC, von den Clients taucht keine einzige IP auf.

Die Clients sind in der Domäne, DNS funktioniert, NSLOOKUP auf z.B. www.heise.de wird sauber vom DC aufgelöst.

Die IP Range ist eine Standard 192.168.x.x/24.

In den Webbrowsern IE&FF ist der Squid eingetragen mit Port 3128. Hierzu habe ich u.a. auch einen DNS Eintrag angelegt, der auf den Clients
problemlos mit Ping abgefragt werden kann, auch wenn die IP dort eingetragen wird hilft dies nicht.

Da die generelle Verbindung nach aussen scheinbar funktioniert, aber nur die HTTP Anfrage scheinbar nicht den Squid erreicht bin ich aktuell etwas
planlos, was das noch sein könnte.

Windows Firewall kann man ausschliessen, die habe ich zumindest an einem Client komplett deaktivert.

Bin für jeden Hinweis dankbar

Grüsse
Mitglied: Dani
29.12.2011 um 18:42 Uhr
Hallo,
wie sieht deine Squid-Konfiguration aus?


Grüße,
Dani
Bitte warten ..
Mitglied: mcafeehasser
30.12.2011 um 10:29 Uhr
Hallo Dani,

ich habe die Squid.Conf relativ nach Standard konfiguriert. Da man keine Dateien anhängen kann mal der Text ab den ACL bis zur letzten Änderungsstelle von mir.
Da die ACL Localnet im Endeffekt mein Netz abdeckt, habe ich keine extra ACL fürs Netzwerk gemacht.
01.
acl all src all 
02.
acl manager proto cache_object 
03.
acl localhost src 127.0.0.1/32 
04.
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 
05.
 
06.
 
07.
08.
# Example rule allowing access from your local networks. 
09.
# Adapt to list your (internal) IP networks from where browsing 
10.
# should be allowed 
11.
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network 
12.
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network 
13.
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network 
14.
15.
acl SSL_ports port 443 
16.
acl Safe_ports port 80		# http 
17.
acl Safe_ports port 8080	# http2 
18.
acl Safe_ports port 21		# ftp 
19.
acl Safe_ports port 443		# https 
20.
acl Safe_ports port 70		# gopher 
21.
acl Safe_ports port 210		# wais 
22.
#acl Safe_ports port 1025-65535	# unregistered ports 
23.
acl Safe_ports port 280		# http-mgmt 
24.
acl Safe_ports port 488		# gss-http 
25.
acl Safe_ports port 591		# filemaker 
26.
acl Safe_ports port 777		# multiling http 
27.
acl Safe_ports port 3000	# Star Money 
28.
acl Safe_ports port 1080	# Star Money 
29.
acl CONNECT method CONNECT 
30.
 
31.
#  TAG: http_access 
32.
#	Allowing or Denying access based on defined access lists 
33.
34.
#	Access to the HTTP port: 
35.
#	http_access allow|deny [!]aclname ... 
36.
37.
#	NOTE on default values: 
38.
39.
#	If there are no "access" lines present, the default is to deny 
40.
#	the request. 
41.
42.
#	If none of the "access" lines cause a match, the default is the 
43.
#	opposite of the last line in the list.  If the last line was 
44.
#	deny, the default is allow.  Conversely, if the last line 
45.
#	is allow, the default will be deny.  For these reasons, it is a 
46.
#	good idea to have an "deny all" or "allow all" entry at the end 
47.
#	of your access lists to avoid potential confusion. 
48.
49.
#Default: 
50.
# http_access deny all 
51.
52.
#Recommended minimum configuration: 
53.
54.
# Only allow cachemgr access from localhost 
55.
#http_access allow lokal 
56.
http_access allow manager localhost 
57.
http_access deny manager 
58.
 
59.
 
60.
# Deny requests to unknown ports 
61.
http_access deny !Safe_ports 
62.
# Deny CONNECT to other than SSL ports 
63.
http_access deny CONNECT !SSL_ports 
64.
65.
# We strongly recommend the following be uncommented to protect innocent 
66.
# web applications running on the proxy server who think the only 
67.
# one who can access services on "localhost" is a local user 
68.
#http_access deny to_localhost 
69.
70.
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 
71.
 
72.
# Example rule allowing access from your local networks. 
73.
# Adapt localnet in the ACL section to list your (internal) IP networks 
74.
# from where browsing should be allowed 
75.
http_access allow localnet 
76.
 
77.
# And finally deny all other access to this proxy 
78.
http_access deny all 
79.
 
80.
#  TAG: http_access2 
81.
#	Allowing or Denying access based on defined access lists 
82.
83.
#	Identical to http_access, but runs after redirectors. If not set 
84.
#	then only http_access is used. 
85.
86.
#Default: 
87.
# none 
88.
 
89.
#  TAG: http_reply_access 
90.
#	Allow replies to client requests. This is complementary to http_access. 
91.
92.
#	http_reply_access allow|deny [!] aclname ... 
93.
94.
#	NOTE: if there are no access lines present, the default is to allow 
95.
#	all replies 
96.
97.
#	If none of the access lines cause a match the opposite of the 
98.
#	last line will apply. Thus it is good practice to end the rules 
99.
#	with an "allow all" or "deny all" entry. 
100.
101.
#Default: 
102.
# http_reply_access allow all 
103.
 
104.
#  TAG: icp_access 
105.
#	Allowing or Denying access to the ICP port based on defined 
106.
#	access lists 
107.
108.
#	icp_access  allow|deny [!]aclname ... 
109.
110.
#	See http_access for details 
111.
112.
#Default: 
113.
# icp_access deny all 
114.
115.
#Allow ICP queries from local networks only 
116.
icp_access allow localnet 
117.
icp_access deny all 
118.
 
119.
#  TAG: htcp_access 
120.
#	Allowing or Denying access to the HTCP port based on defined 
121.
#	access lists 
122.
123.
#	htcp_access  allow|deny [!]aclname ... 
124.
125.
#	See http_access for details 
126.
127.
#	NOTE: The default if no htcp_access lines are present is to 
128.
#	deny all traffic. This default may cause problems with peers 
129.
#	using the htcp or htcp-oldsquid options. 
130.
131.
#Default: 
132.
# htcp_access deny all 
133.
134.
#Allow HTCP queries from local networks only 
135.
# htcp_access allow localnet 
136.
# htcp_access deny all 
137.
 
138.
#  TAG: htcp_clr_access 
139.
#	Allowing or Denying access to purge content using HTCP based 
140.
#	on defined access lists 
141.
142.
#	htcp_clr_access  allow|deny [!]aclname ... 
143.
144.
#	See http_access for details 
145.
146.
##Allow HTCP CLR requests from trusted peers 
147.
#acl htcp_clr_peer src 172.16.1.2 
148.
#htcp_clr_access allow htcp_clr_peer 
149.
150.
#Default: 
151.
# htcp_clr_access deny all 
152.
 
153.
#  TAG: miss_access 
154.
#	Use to force your neighbors to use you as a sibling instead of 
155.
#	a parent.  For example: 
156.
157.
#		acl localclients src 172.16.0.0/16 
158.
#		miss_access allow localclients 
159.
#		miss_access deny  !localclients 
160.
161.
#	This means only your local clients are allowed to fetch 
162.
#	MISSES and all other clients can only fetch HITS. 
163.
164.
#	By default, allow all clients who passed the http_access rules 
165.
#	to fetch MISSES from us. 
166.
167.
#Default setting: 
168.
# miss_access allow all 
169.
 
170.
#  TAG: ident_lookup_access 
171.
#	A list of ACL elements which, if matched, cause an ident 
172.
#	(RFC931) lookup to be performed for this request.  For 
173.
#	example, you might choose to always perform ident lookups 
174.
#	for your main multi-user Unix boxes, but not for your Macs 
175.
#	and PCs.  By default, ident lookups are not performed for 
176.
#	any requests. 
177.
178.
#	To enable ident lookups for specific client addresses, you 
179.
#	can follow this example: 
180.
181.
#	acl ident_aware_hosts src 198.168.1.0/255.255.255.0 
182.
#	ident_lookup_access allow ident_aware_hosts 
183.
#	ident_lookup_access deny all 
184.
185.
#	Only src type ACL checks are fully supported.  A src_domain 
186.
#	ACL might work at times, but it will not always provide 
187.
#	the correct result. 
188.
189.
#Default: 
190.
# ident_lookup_access deny all 
191.
 
192.
#  TAG: reply_body_max_size	bytes deny acl acl... 
193.
#	This option specifies the maximum size of a reply body in bytes. 
194.
#	It can be used to prevent users from downloading very large files, 
195.
#	such as MP3's and movies. When the reply headers are received, 
196.
#	the reply_body_max_size lines are processed, and the first line with 
197.
#	a result of "deny" is used as the maximum body size for this reply. 
198.
#	This size is checked twice. First when we get the reply headers, 
199.
#	we check the content-length value.  If the content length value exists 
200.
#	and is larger than the allowed size, the request is denied and the 
201.
#	user receives an error message that says "the request or reply 
202.
#	is too large." If there is no content-length, and the reply 
203.
#	size exceeds this limit, the client's connection is just closed 
204.
#	and they will receive a partial reply. 
205.
206.
#	WARNING: downstream caches probably can not detect a partial reply 
207.
#	if there is no content-length header, so they will cache 
208.
#	partial responses and give them out as hits.  You should NOT 
209.
#	use this option if you have downstream caches. 
210.
211.
#	If you set this parameter to zero (the default), there will be 
212.
#	no limit imposed. 
213.
214.
#Default: 
215.
# reply_body_max_size 0 allow all 
216.
 
217.
#  TAG: authenticate_ip_shortcircuit_access 
218.
#	Access list determining when shortcicuiting the authentication process 
219.
#	based on source IP cached credentials is acceptable. Use this to deny 
220.
#	using the ip auth cache on requests from child proxies or other source 
221.
#	ip's having multiple users. 
222.
223.
#	See also authenticate_ip_shortcircuit_ttl directive 
224.
225.
#Default: 
226.
# none 
227.
 
228.
 
229.
# OPTIONS FOR X-Forwarded-For 
230.
# ----------------------------------------------------------------------------- 
231.
 
232.
#  TAG: follow_x_forwarded_for 
233.
#	Allowing or Denying the X-Forwarded-For header to be followed to 
234.
#	find the original source of a request. 
235.
236.
#	Requests may pass through a chain of several other proxies 
237.
#	before reaching us.  The X-Forwarded-For header will contain a 
238.
#	comma-separated list of the IP addresses in the chain, with the 
239.
#	rightmost address being the most recent. 
240.
241.
#	If a request reaches us from a source that is allowed by this 
242.
#	configuration item, then we consult the X-Forwarded-For header 
243.
#	to see where that host received the request from.  If the 
244.
#	X-Forwarded-For header contains multiple addresses, and if 
245.
#	acl_uses_indirect_client is on, then we continue backtracking 
246.
#	until we reach an address for which we are not allowed to 
247.
#	follow the X-Forwarded-For header, or until we reach the first 
248.
#	address in the list.  (If acl_uses_indirect_client is off, then 
249.
#	it's impossible to backtrack through more than one level of 
250.
#	X-Forwarded-For addresses.) 
251.
252.
#	The end result of this process is an IP address that we will 
253.
#	refer to as the indirect client address.  This address may 
254.
#	be treated as the client address for access control, delay 
255.
#	pools and logging, depending on the acl_uses_indirect_client, 
256.
#	delay_pool_uses_indirect_client and log_uses_indirect_client 
257.
#	options. 
258.
259.
#	SECURITY CONSIDERATIONS: 
260.
261.
#		Any host for which we follow the X-Forwarded-For header 
262.
#		can place incorrect information in the header, and Squid 
263.
#		will use the incorrect information as if it were the 
264.
#		source address of the request.  This may enable remote 
265.
#		hosts to bypass any access control restrictions that are 
266.
#		based on the client's source addresses. 
267.
268.
#	For example: 
269.
270.
#		acl localhost src 127.0.0.1 
271.
#		acl my_other_proxy srcdomain .proxy.example.com 
272.
#		follow_x_forwarded_for allow localhost 
273.
#		follow_x_forwarded_for allow my_other_proxy 
274.
275.
#Default: 
276.
# follow_x_forwarded_for deny all 
277.
 
278.
#  TAG: acl_uses_indirect_client	on|off 
279.
#	Controls whether the indirect client address 
280.
#	(see follow_x_forwarded_for) is used instead of the 
281.
#	direct client address in acl matching. 
282.
283.
#Default: 
284.
# acl_uses_indirect_client on 
285.
 
286.
#  TAG: delay_pool_uses_indirect_client	on|off 
287.
#	Controls whether the indirect client address 
288.
#	(see follow_x_forwarded_for) is used instead of the 
289.
#	direct client address in delay pools. 
290.
291.
#Default: 
292.
# delay_pool_uses_indirect_client on 
293.
 
294.
#  TAG: log_uses_indirect_client	on|off 
295.
#	Controls whether the indirect client address 
296.
#	(see follow_x_forwarded_for) is used instead of the 
297.
#	direct client address in the access log. 
298.
299.
#Default: 
300.
# log_uses_indirect_client on 
301.
 
302.
 
303.
# SSL OPTIONS 
304.
# ----------------------------------------------------------------------------- 
305.
 
306.
#  TAG: ssl_unclean_shutdown 
307.
# Note: This option is only available if Squid is rebuilt with the 
308.
#       --enable-ssl option 
309.
310.
#	Some browsers (especially MSIE) bugs out on SSL shutdown 
311.
#	messages. 
312.
313.
#Default: 
314.
# ssl_unclean_shutdown off 
315.
 
316.
#  TAG: ssl_engine 
317.
# Note: This option is only available if Squid is rebuilt with the 
318.
#       --enable-ssl option 
319.
320.
#	The OpenSSL engine to use. You will need to set this if you 
321.
#	would like to use hardware SSL acceleration for example. 
322.
323.
#Default: 
324.
# none 
325.
 
326.
#  TAG: sslproxy_client_certificate 
327.
# Note: This option is only available if Squid is rebuilt with the 
328.
#       --enable-ssl option 
329.
330.
#	Client SSL Certificate to use when proxying https:// URLs 
331.
332.
#Default: 
333.
# none 
334.
 
335.
#  TAG: sslproxy_client_key 
336.
# Note: This option is only available if Squid is rebuilt with the 
337.
#       --enable-ssl option 
338.
339.
#	Client SSL Key to use when proxying https:// URLs 
340.
341.
#Default: 
342.
# none 
343.
 
344.
#  TAG: sslproxy_version 
345.
# Note: This option is only available if Squid is rebuilt with the 
346.
#       --enable-ssl option 
347.
348.
#	SSL version level to use when proxying https:// URLs 
349.
350.
#Default: 
351.
# sslproxy_version 1 
352.
 
353.
#  TAG: sslproxy_options 
354.
# Note: This option is only available if Squid is rebuilt with the 
355.
#       --enable-ssl option 
356.
357.
#	SSL engine options to use when proxying https:// URLs 
358.
359.
#Default: 
360.
# none 
361.
 
362.
#  TAG: sslproxy_cipher 
363.
# Note: This option is only available if Squid is rebuilt with the 
364.
#       --enable-ssl option 
365.
366.
#	SSL cipher list to use when proxying https:// URLs 
367.
368.
#Default: 
369.
# none 
370.
 
371.
#  TAG: sslproxy_cafile 
372.
# Note: This option is only available if Squid is rebuilt with the 
373.
#       --enable-ssl option 
374.
375.
#	file containing CA certificates to use when verifying server 
376.
#	certificates while proxying https:// URLs 
377.
378.
#Default: 
379.
# none 
380.
 
381.
#  TAG: sslproxy_capath 
382.
# Note: This option is only available if Squid is rebuilt with the 
383.
#       --enable-ssl option 
384.
385.
#	directory containing CA certificates to use when verifying 
386.
#	server certificates while proxying https:// URLs 
387.
388.
#Default: 
389.
# none 
390.
 
391.
#  TAG: sslproxy_flags 
392.
# Note: This option is only available if Squid is rebuilt with the 
393.
#       --enable-ssl option 
394.
395.
#	Various flags modifying the use of SSL while proxying https:// URLs: 
396.
#	    DONT_VERIFY_PEER    Accept certificates even if they fail to 
397.
#				verify. 
398.
#	    NO_DEFAULT_CA       Don't use the default CA list built in 
399.
#				to OpenSSL. 
400.
401.
#Default: 
402.
# none 
403.
 
404.
#  TAG: sslpassword_program 
405.
# Note: This option is only available if Squid is rebuilt with the 
406.
#       --enable-ssl option 
407.
408.
#	Specify a program used for entering SSL key passphrases 
409.
#	when using encrypted SSL certificate keys. If not specified 
410.
#	keys must either be unencrypted, or Squid started with the -N 
411.
#	option to allow it to query interactively for the passphrase. 
412.
413.
#Default: 
414.
# none 
415.
 
416.
 
417.
# NETWORK OPTIONS 
418.
# ----------------------------------------------------------------------------- 
419.
 
420.
#  TAG: http_port 
421.
#	Usage:	port [options] 
422.
#		hostname:port [options] 
423.
#		1.2.3.4:port [options] 
424.
425.
#	The socket addresses where Squid will listen for HTTP client 
426.
#	requests.  You may specify multiple socket addresses. 
427.
#	There are three forms: port alone, hostname with port, and 
428.
#	IP address with port.  If you specify a hostname or IP 
429.
#	address, Squid binds the socket to that specific 
430.
#	address.  This replaces the old 'tcp_incoming_address' 
431.
#	option.  Most likely, you do not need to bind to a specific 
432.
#	address, so you can use the port number alone. 
433.
434.
#	If you are running Squid in accelerator mode, you 
435.
#	probably want to listen on port 80 also, or instead. 
436.
437.
#	The -I command line option will override the *first* port 
438.
#	specified here. 
439.
440.
#	You may specify multiple socket addresses on multiple lines. 
441.
442.
#	Options: 
443.
444.
#	   transparent	Support for transparent interception of 
445.
#			outgoing requests without browser settings. 
446.
447.
#	   tproxy	Support Linux TPROXY for spoofing outgoing 
448.
#			connections using the client IP address. 
449.
450.
#	   accel	Accelerator mode. See also the related vhost, 
451.
#			vport and defaultsite directives. 
452.
453.
#	   defaultsite=domainname 
454.
#			What to use for the Host: header if it is not present 
455.
#			in a request. Determines what site (not origin server) 
456.
#			accelerators should consider the default. 
457.
#			Defaults to visible_hostname:port if not set 
458.
#			May be combined with vport=NN to override the port number. 
459.
#			Implies accel. 
460.
461.
#	   vhost	Accelerator mode using Host header for virtual 
462.
#			domain support. Implies accel. 
463.
464.
#	   vport	Accelerator with IP based virtual host support. 
465.
#			Implies accel. 
466.
467.
#	   vport=NN	As above, but uses specified port number rather 
468.
#			than the http_port number. Implies accel. 
469.
470.
#	   allow-direct	Allow direct forwarding in accelerator mode. Normally 
471.
#	   		accelerated requests is denied direct forwarding as it 
472.
#			never_direct was used. 
473.
474.
#	   urlgroup=	Default urlgroup to mark requests with (see 
475.
#			also acl urlgroup and url_rewrite_program) 
476.
477.
#	   protocol=	Protocol to reconstruct accelerated requests with. 
478.
#			Defaults to http. 
479.
480.
#	   no-connection-auth 
481.
#			Prevent forwarding of Microsoft connection oriented 
482.
#			authentication (NTLM, Negotiate and Kerberos) 
483.
484.
#	   act-as-origin 
485.
#	   		Act is if this Squid is the origin server. 
486.
#			This currently means generate own Date: and 
487.
#			Expires: headers. Implies accel. 
488.
489.
#	   http11	Enables HTTP/1.1 support to clients. The HTTP/1.1 
490.
#			support is still incomplete with an internal HTTP/1.0 
491.
#			hop, but should work with most clients. The main 
492.
#			HTTP/1.1 features missing due to this is forwarding 
493.
#			of requests using chunked transfer encoding (results 
494.
#			in 411) and forwarding of 1xx responses (silently 
495.
#			dropped) 
496.
497.
#	   name=	Specifies a internal name for the port. Defaults to 
498.
#			the port specification (port or addr:port) 
499.
500.
#	   tcpkeepalive[=idle,interval,timeout] 
501.
#			Enable TCP keepalive probes of idle connections 
502.
#			idle is the initial time before TCP starts probing 
503.
#			the connection, interval how often to probe, and 
504.
#			timeout the time before giving up. 
505.
506.
#	If you run Squid on a dual-homed machine with an internal 
507.
#	and an external interface we recommend you to specify the 
508.
#	internal address:port in http_port. This way Squid will only be 
509.
#	visible on the internal address. 
510.
511.
# Squid normally listens to port 3128 
512.
 
513.
http_port 3128 
514.
 
515.
#  TAG: https_port 
516.
# Note: This option is only available if Squid is rebuilt with the 
517.
#       --enable-ssl option 
518.
519.
#	Usage:  [ip:]port cert=certificate.pem [key=key.pem] [options...] 
520.
521.
#	The socket address where Squid will listen for HTTPS client 
522.
#	requests. 
523.
524.
#	This is really only useful for situations where you are running 
525.
#	squid in accelerator mode and you want to do the SSL work at the 
526.
#	accelerator level. 
527.
528.
#	You may specify multiple socket addresses on multiple lines, 
529.
#	each with their own SSL certificate and/or options. 
530.
531.
#	Options: 
532.
533.
#	In addition to the options specified for http_port the folling 
534.
#	SSL related options is supported: 
535.
536.
#	   cert=	Path to SSL certificate (PEM format). 
537.
538.
#	   key=		Path to SSL private key file (PEM format) 
539.
#			if not specified, the certificate file is 
540.
#			assumed to be a combined certificate and 
541.
#			key file. 
542.
543.
#	   version=	The version of SSL/TLS supported 
544.
#			    1	automatic (default) 
545.
#			    2	SSLv2 only 
546.
#			    3	SSLv3 only 
547.
#			    4	TLSv1 only 
548.
549.
#	   cipher=	Colon separated list of supported ciphers. 
550.
551.
#	   options=	Various SSL engine options. The most important 
552.
#			being: 
553.
#			    NO_SSLv2  Disallow the use of SSLv2 
554.
#			    NO_SSLv3  Disallow the use of SSLv3 
555.
#			    NO_TLSv1  Disallow the use of TLSv1 
556.
#			    SINGLE_DH_USE Always create a new key when using 
557.
#				      temporary/ephemeral DH key exchanges 
558.
#			See src/ssl_support.c or OpenSSL SSL_CTX_set_options 
559.
#			documentation for a complete list of options. 
560.
561.
#	   clientca=	File containing the list of CAs to use when 
562.
#			requesting a client certificate. 
563.
564.
#	   cafile=	File containing additional CA certificates to 
565.
#			use when verifying client certificates. If unset 
566.
#			clientca will be used. 
567.
568.
#	   capath=	Directory containing additional CA certificates 
569.
#			and CRL lists to use when verifying client certificates. 
570.
571.
#	   crlfile=	File of additional CRL lists to use when verifying 
572.
#			the client certificate, in addition to CRLs stored in 
573.
#			the capath. Implies VERIFY_CRL flag below. 
574.
575.
#	   dhparams=	File containing DH parameters for temporary/ephemeral 
576.
#			DH key exchanges. 
577.
578.
#	   sslflags=	Various flags modifying the use of SSL: 
579.
#			    DELAYED_AUTH 
580.
#				Don't request client certificates 
581.
#				immediately, but wait until acl processing 
582.
#				requires a certificate (not yet implemented). 
583.
#			    NO_DEFAULT_CA 
584.
#				Don't use the default CA lists built in 
585.
#				to OpenSSL. 
586.
#			    NO_SESSION_REUSE 
587.
#				Don't allow for session reuse. Each connection 
588.
#				will result in a new SSL session. 
589.
#			    VERIFY_CRL 
590.
#				Verify CRL lists when accepting client 
591.
#				certificates. 
592.
#			    VERIFY_CRL_ALL 
593.
#				Verify CRL lists for all certificates in the 
594.
#				client certificate chain. 
595.
596.
#	   sslcontext=	SSL session ID context identifier. 
597.
598.
599.
#Default: 
600.
# none 
601.
 
602.
#  TAG: tcp_outgoing_tos 
603.
#	Allows you to select a TOS/Diffserv value to mark outgoing 
604.
#	connections with, based on the username or source address 
605.
#	making the request. 
606.
607.
#	tcp_outgoing_tos ds-field [!]aclname ... 
608.
609.
#	Example where normal_service_net uses the TOS value 0x00 
610.
#	and good_service_net uses 0x20 
611.
612.
#	acl normal_service_net src 10.0.0.0/255.255.255.0 
613.
#	acl good_service_net src 10.0.1.0/255.255.255.0 
614.
#	tcp_outgoing_tos 0x00 normal_service_net 
615.
#	tcp_outgoing_tos 0x20 good_service_net 
616.
617.
#	TOS/DSCP values really only have local significance - so you should 
618.
#	know what you're specifying. For more information, see RFC2474 and 
619.
#	RFC3260. 
620.
621.
#	The TOS/DSCP byte must be exactly that - a octet value  0 - 255, or 
622.
#	"default" to use whatever default your host has. Note that in 
623.
#	practice often only values 0 - 63 is usable as the two highest bits 
624.
#	have been redefined for use by ECN (RFC3168). 
625.
626.
#	Processing proceeds in the order specified, and stops at first fully 
627.
#	matching line. 
628.
629.
#	Note: The use of this directive using client dependent ACLs is 
630.
#	incompatible with the use of server side persistent connections. To 
631.
#	ensure correct results it is best to set server_persisten_connections 
632.
#	to off when using this directive in such configurations. 
633.
634.
#Default: 
635.
# none 
636.
 
637.
#  TAG: tcp_outgoing_address 
638.
#	Allows you to map requests to different outgoing IP addresses 
639.
#	based on the username or source address of the user making 
640.
#	the request. 
641.
642.
#	tcp_outgoing_address ipaddr [[!]aclname] ... 
643.
644.
#	Example where requests from 10.0.0.0/24 will be forwarded 
645.
#	with source address 10.1.0.1, 10.0.2.0/24 forwarded with 
646.
#	source address 10.1.0.2 and the rest will be forwarded with 
647.
#	source address 10.1.0.3. 
648.
649.
#	acl normal_service_net src 10.0.0.0/24 
650.
#	acl good_service_net src 10.0.1.0/24 10.0.2.0/24 
651.
#	tcp_outgoing_address 10.1.0.1 normal_service_net 
652.
#	tcp_outgoing_address 10.1.0.2 good_service_net 
653.
#	tcp_outgoing_address 10.1.0.3 
654.
655.
#	Processing proceeds in the order specified, and stops at first fully 
656.
#	matching line. 
657.
658.
#	Note: The use of this directive using client dependent ACLs is 
659.
#	incompatible with the use of server side persistent connections. To 
660.
#	ensure correct results it is best to set server_persistent_connections 
661.
#	to off when using this directive in such configurations. 
662.
663.
#Default: 
664.
# none 
665.
 
666.
#  TAG: zph_mode 
667.
#	This option enables packet level marking of HIT/MISS responses, 
668.
#	either using IP TOS or socket priority. 
669.
#	    off		Feature disabled 
670.
#	    tos		Set the IP TOS/Diffserv field 
671.
#	    priority	Set the socket priority (may get mapped to TOS by OS, 
672.
#			otherwise only usable in local rulesets) 
673.
#	    option	Embed the mark in an IP option field. See also 
674.
#	    		zph_option. 
675.
676.
#	See also tcp_outgoing_tos for details/requirements about TOS usage. 
677.
678.
#Default: 
679.
# zph_mode off 
680.
 
681.
#  TAG: zph_local 
682.
#	Allows you to select a TOS/Diffserv/Priority value to mark local hits. 
683.
#	Default: 0 (disabled). 
684.
685.
#Default: 
686.
# zph_local 0 
687.
 
688.
#  TAG: zph_sibling 
689.
#	Allows you to select a TOS/Diffserv/Priority value to mark sibling hits. 
690.
#	Default: 0 (disabled). 
691.
692.
#Default: 
693.
# zph_sibling 0 
694.
 
695.
#  TAG: zph_parent 
696.
#	Allows you to select a TOS/Diffserv/Priority value to mark parent hits.  
697.
#	Default: 0 (disabled). 
698.
699.
#Default: 
700.
# zph_parent 0 
701.
 
702.
#  TAG: zph_option 
703.
#	The IP option to use when zph_mode is set to "option". Defaults to 
704.
#	136 which is officially registered as "SATNET Stream ID". 
705.
706.
#Default: 
707.
# zph_option 136 
708.
 
709.
 
710.
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM 
711.
# ----------------------------------------------------------------------------- 
712.
 
713.
#  TAG: cache_peer 
714.
#	To specify other caches in a hierarchy, use the format: 
715.
716.
#		cache_peer hostname type http-port icp-port [options] 
717.
718.
#	For example, 
719.
720.
#	#                                        proxy  icp 
721.
#	#          hostname             type     port   port  options 
722.
#	#          -------------------- -------- ----- -----  ----------- 
723.
#	cache_peer parent.foo.net       parent    3128  3130  proxy-only default 
724.
#	cache_peer sib1.foo.net         sibling   3128  3130  proxy-only 
725.
#	cache_peer sib2.foo.net         sibling   3128  3130  proxy-only 
726.
727.
#	      type:  either 'parent', 'sibling', or 'multicast'. 
728.
729.
#	proxy-port:  The port number where the cache listens for proxy 
730.
#		     requests. 
731.
732.
#	  icp-port:  Used for querying neighbor caches about 
733.
#		     objects.  To have a non-ICP neighbor 
734.
#		     specify '7' for the ICP port and make sure the 
735.
#		     neighbor machine has the UDP echo port 
736.
#		     enabled in its /etc/inetd.conf file. 
737.
#		NOTE: Also requires icp_port option enabled to send/receive 
738.
#		      requests via this method. 
739.
740.
#	    options: proxy-only 
741.
#		     weight=n 
742.
#		     ttl=n 
743.
#		     no-query 
744.
#		     default 
745.
#		     round-robin 
746.
#		     carp 
747.
#		     multicast-responder 
748.
#		     multicast-siblings 
749.
#		     closest-only 
750.
#		     no-digest 
751.
#		     no-netdb-exchange 
752.
#		     no-delay 
753.
#		     login=user:password | PASS | *:password 
754.
#		     connect-timeout=nn 
755.
#		     digest-url=url 
756.
#		     allow-miss 
757.
#		     max-conn=n 
758.
#		     htcp 
759.
#		     htcp-oldsquid 
760.
#		     originserver 
761.
#		     userhash 
762.
#		     sourcehash 
763.
#		     name=xxx 
764.
#		     monitorurl=url 
765.
#		     monitorsize=sizespec 
766.
#		     monitorinterval=seconds 
767.
#		     monitortimeout=seconds 
768.
#		     forceddomain=name 
769.
#		     ssl 
770.
#		     sslcert=/path/to/ssl/certificate 
771.
#		     sslkey=/path/to/ssl/key 
772.
#		     sslversion=1|2|3|4 
773.
#		     sslcipher=... 
774.
#		     ssloptions=... 
775.
#		     front-end-https[=on|auto] 
776.
#		     connection-auth[=on|off|auto] 
777.
#		     idle=n 
778.
#		     http11 
779.
780.
#		     use 'proxy-only' to specify objects fetched 
781.
#		     from this cache should not be saved locally. 
782.
783.
#		     use 'weight=n' to affect the selection of a peer 
784.
#		     during any weighted peer-selection mechanisms. 
785.
#		     The weight must be an integer; default is 1, 
786.
#		     larger weights are favored more. 
787.
#		     This option does not affect parent selection if a peering 
788.
#		     protocol is not in use. 
789.
790.
#		     use 'ttl=n' to specify a IP multicast TTL to use 
791.
#		     when sending an ICP queries to this address. 
792.
#		     Only useful when sending to a multicast group. 
793.
#		     Because we don't accept ICP replies from random 
794.
#		     hosts, you must configure other group members as 
795.
#		     peers with the 'multicast-responder' option below. 
796.
797.
#		     use 'no-query' to NOT send ICP queries to this 
798.
#		     neighbor. 
799.
800.
#		     use 'default' if this is a parent cache which can 
801.
#		     be used as a "last-resort" if a peer cannot be located 
802.
#		     by any of the peer-selection mechanisms. 
803.
#		     If specified more than once, only the first is used. 
804.
805.
#		     use 'round-robin' to define a set of parents which 
806.
#		     should be used in a round-robin fashion in the 
807.
#		     absence of any ICP queries. 
808.
809.
#		     use 'carp' to define a set of parents which should 
810.
#		     be used as a CARP array. The requests will be 
811.
#		     distributed among the parents based on the CARP load 
812.
#		     balancing hash function based on their weight. 
813.
814.
#		     'multicast-responder' indicates the named peer 
815.
#		     is a member of a multicast group.  ICP queries will 
816.
#		     not be sent directly to the peer, but ICP replies 
817.
#		     will be accepted from it. 
818.
819.
#		     the 'multicast-siblings' option is meant to be used 
820.
#		     only for cache peers of type "multicast". It instructs 
821.
#		     Squid that ALL members of this multicast group have 
822.
#		     "sibling" relationship with it, not "parent".  This is 
823.
#		     an optimization that avoids useless multicast queries 
824.
#		     to a multicast group when the requested object would 
825.
#		     be fetched only from a "parent" cache, anyway.  It's 
826.
#		     useful, e.g., when configuring a pool of redundant 
827.
#		     Squid proxies, being members of the same 
828.
#		     multicast group. 
829.
830.
#		     'closest-only' indicates that, for ICP_OP_MISS 
831.
#		     replies, we'll only forward CLOSEST_PARENT_MISSes 
832.
#		     and never FIRST_PARENT_MISSes. 
833.
834.
#		     use 'no-digest' to NOT request cache digests from 
835.
#		     this neighbor. 
836.
837.
#		     'no-netdb-exchange' disables requesting ICMP 
838.
#		     RTT database (NetDB) from the neighbor. 
839.
840.
#		     use 'no-delay' to prevent access to this neighbor 
841.
#		     from influencing the delay pools. 
842.
843.
#		     use 'login=user:password' if this is a personal/workgroup 
844.
#		     proxy and your parent requires proxy authentication. 
845.
#		     Note: The string can include URL escapes (i.e. %20 for 
846.
#		     spaces). This also means % must be written as %%. 
847.
848.
#		     use 'login=PASS' if users must authenticate against 
849.
#		     the upstream proxy or in the case of a reverse proxy 
850.
#		     configuration, the origin web server.  This will pass 
851.
#		     the users credentials as they are to the peer. 
852.
#		     Note: To combine this with local authentication the Basic 
853.
#		     authentication scheme must be used, and both servers must 
854.
#		     share the same user database as HTTP only allows for 
855.
#		     a single login (one for proxy, one for origin server). 
856.
#		     Also be warned this will expose your users proxy 
857.
#		     password to the peer. USE WITH CAUTION 
858.
859.
#		     use 'login=*:password' to pass the username to the 
860.
#		     upstream cache, but with a fixed password. This is meant 
861.
#		     to be used when the peer is in another administrative 
862.
#		     domain, but it is still needed to identify each user. 
863.
#		     The star can optionally be followed by some extra 
864.
#		     information which is added to the username. This can 
865.
#		     be used to identify this proxy to the peer, similar to 
866.
#		     the login=username:password option above. 
867.
868.
#		     use 'connect-timeout=nn' to specify a peer 
869.
#		     specific connect timeout (also see the 
870.
#		     peer_connect_timeout directive) 
871.
872.
#		     use 'digest-url=url' to tell Squid to fetch the cache 
873.
#		     digest (if digests are enabled) for this host from 
874.
#		     the specified URL rather than the Squid default 
875.
#		     location. 
876.
877.
#		     use 'allow-miss' to disable Squid's use of only-if-cached 
878.
#		     when forwarding requests to siblings. This is primarily 
879.
#		     useful when icp_hit_stale is used by the sibling. To 
880.
#		     extensive use of this option may result in forwarding 
881.
#		     loops, and you should avoid having two-way peerings 
882.
#		     with this option. (for example to deny peer usage on 
883.
#		     requests from peer by denying cache_peer_access if the 
884.
#		     source is a peer) 
885.
886.
#		     use 'max-conn=n' to limit the amount of connections Squid 
887.
#		     may open to this peer. 
888.
889.
#		     use 'htcp' to send HTCP, instead of ICP, queries 
890.
#		     to the neighbor.  You probably also want to 
891.
#		     set the "icp port" to 4827 instead of 3130. 
892.
#		     You must also allow this Squid htcp_access and 
893.
#		     http_access in the peer Squid configuration. 
894.
895.
#		     use 'htcp-oldsquid' to send HTCP to old Squid versions 
896.
#		     You must also allow this Squid htcp_access and 
897.
#		     http_access in the peer Squid configuration. 
898.
899.
#		     'originserver' causes this parent peer to be contacted as 
900.
#		     a origin server. Meant to be used in accelerator setups. 
901.
902.
#		     use 'userhash' to load-balance amongst a set of parents 
903.
#		     based on the client proxy_auth or ident username. 
904.
905.
#		     use 'sourcehash' to load-balance amongst a set of parents 
906.
#		     based on the client source ip. 
907.
908.
#		     use 'name=xxx' if you have multiple peers on the same 
909.
#		     host but different ports. This name can be used to 
910.
#		     differentiate the peers in cache_peer_access and similar 
911.
#		     directives. 
912.
913.
#		     use 'monitorurl=url' to have periodically request a given 
914.
#		     URL from the peer, and only consider the peer as alive 
915.
#		     if this monitoring is successful (default none) 
916.
917.
#		     use 'monitorsize=min[-max]' to limit the size range of 
918.
#		     'monitorurl' replies considered valid. Defaults to 0 to 
919.
#		     accept any size replies as valid. 
920.
921.
#		     use 'monitorinterval=seconds' to change frequency of 
922.
#		     how often the peer is monitored with 'monitorurl' 
923.
#		     (default 300 for a 5 minute interval). If set to 0 
924.
#		     then monitoring is disabled even if a URL is defined. 
925.
926.
#		     use 'monitortimeout=seconds' to change the timeout of 
927.
#		     'monitorurl'. Defaults to 'monitorinterval'. 
928.
929.
#		     use 'forceddomain=name' to forcibly set the Host header 
930.
#		     of requests forwarded to this peer. Useful in accelerator 
931.
#		     setups where the server (peer) expects a certain domain 
932.
#		     name and using redirectors to feed this domain name 
933.
#		     is not feasible. 
934.
935.
#		     use 'ssl' to indicate connections to this peer should 
936.
#		     be SSL/TLS encrypted. 
937.
938.
#		     use 'sslcert=/path/to/ssl/certificate' to specify a client 
939.
#		     SSL certificate to use when connecting to this peer. 
940.
941.
#		     use 'sslkey=/path/to/ssl/key' to specify the private SSL 
942.
#		     key corresponding to sslcert above. If 'sslkey' is not 
943.
#		     specified 'sslcert' is assumed to reference a 
944.
#		     combined file containing both the certificate and the key. 
945.
946.
#		     use sslversion=1|2|3|4 to specify the SSL version to use 
947.
#		     when connecting to this peer 
948.
#			1 = automatic (default) 
949.
#			2 = SSL v2 only 
950.
#			3 = SSL v3 only 
951.
#			4 = TLS v1 only 
952.
953.
#		     use sslcipher=... to specify the list of valid SSL ciphers 
954.
#		     to use when connecting to this peer. 
955.
956.
#		     use ssloptions=... to specify various SSL engine options: 
957.
#			NO_SSLv2  Disallow the use of SSLv2 
958.
#			NO_SSLv3  Disallow the use of SSLv3 
959.
#			NO_TLSv1  Disallow the use of TLSv1 
960.
#		     See src/ssl_support.c or the OpenSSL documentation for 
961.
#		     a more complete list. 
962.
963.
#		     use sslcafile=... to specify a file containing 
964.
#		     additional CA certificates to use when verifying the 
965.
#		     peer certificate. 
966.
967.
#		     use sslcapath=... to specify a directory containing 
968.
#		     additional CA certificates to use when verifying the 
969.
#		     peer certificate. 
970.
971.
#		     use sslcrlfile=... to specify a certificate revocation 
972.
#		     list file to use when verifying the peer certificate. 
973.
974.
#		     use sslflags=... to specify various flags modifying the 
975.
#		     SSL implementation: 
976.
#			DONT_VERIFY_PEER 
977.
#				Accept certificates even if they fail to 
978.
#				verify. 
979.
#			NO_DEFAULT_CA 
980.
#				Don't use the default CA list built in 
981.
#				to OpenSSL. 
982.
983.
#		     use ssldomain= to specify the peer name as advertised 
984.
#		     in it's certificate. Used for verifying the correctness 
985.
#		     of the received peer certificate. If not specified the 
986.
#		     peer hostname will be used. 
987.
988.
#		     use front-end-https to enable the "Front-End-Https: On" 
989.
#		     header needed when using Squid as a SSL frontend in front 
990.
#		     of Microsoft OWA. See MS KB document Q307347 for details 
991.
#		     on this header. If set to auto the header will 
992.
#		     only be added if the request is forwarded as a https:// 
993.
#		     URL. 
994.
995.
#		     use connection-auth=off to tell Squid that this peer does 
996.
#		     not support Microsoft connection oriented authentication, 
997.
#		     and any such challenges received from there should be 
998.
#		     ignored. Default is auto to automatically determine the 
999.
#		     status of the peer. 
1000.
1001.
#		     use idle=n to specify a minimum number of idle connections 
1002.
#		     that should be kept open to this peer. 
1003.
1004.
#		     use http11 to send requests using HTTP/1.1 to this peer. 
1005.
#		     Note: The HTTP/1.1 support is still incomplete, with an 
1006.
#		     internal HTTP/1.0 hop. As result 1xx responses will not 
1007.
#		     be forwarded. 
1008.
1009.
#Default: 
1010.
# none 
1011.
 
1012.
#  TAG: cache_peer_domain 
1013.
#	Use to limit the domains for which a neighbor cache will be 
1014.
#	queried.  Usage: 
1015.
1016.
#	cache_peer_domain cache-host domain [domain ...] 
1017.
#	cache_peer_domain cache-host !domain 
1018.
1019.
#	For example, specifying 
1020.
1021.
#		cache_peer_domain parent.foo.net	.edu 
1022.
1023.
#	has the effect such that UDP query packets are sent to 
1024.
#	'bigserver' only when the requested object exists on a 
1025.
#	server in the .edu domain.  Prefixing the domain name 
1026.
#	with '!' means the cache will be queried for objects 
1027.
#	NOT in that domain. 
1028.
1029.
#	NOTE:	* Any number of domains may be given for a cache-host, 
1030.
#		  either on the same or separate lines. 
1031.
#		* When multiple domains are given for a particular 
1032.
#		  cache-host, the first matched domain is applied. 
1033.
#		* Cache hosts with no domain restrictions are queried 
1034.
#		  for all requests. 
1035.
#		* There are no defaults. 
1036.
#		* There is also a 'cache_peer_access' tag in the ACL 
1037.
#		  section. 
1038.
1039.
#Default: 
1040.
# none 
1041.
 
1042.
#  TAG: cache_peer_access 
1043.
#	Similar to 'cache_peer_domain' but provides more flexibility by 
1044.
#	using ACL elements. 
1045.
1046.
#	cache_peer_access cache-host allow|deny [!]aclname ... 
1047.
1048.
#	The syntax is identical to 'http_access' and the other lists of 
1049.
#	ACL elements.  See the comments for 'http_access' below, or 
1050.
#	the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html). 
1051.
1052.
#Default: 
1053.
# none 
1054.
 
1055.
#  TAG: neighbor_type_domain 
1056.
#	usage: neighbor_type_domain neighbor parent|sibling domain domain ... 
1057.
1058.
#	Modifying the neighbor type for specific domains is now 
1059.
#	possible.  You can treat some domains differently than the the 
1060.
#	default neighbor type specified on the 'cache_peer' line. 
1061.
#	Normally it should only be necessary to list domains which 
1062.
#	should be treated differently because the default neighbor type 
1063.
#	applies for hostnames which do not match domains listed here. 
1064.
1065.
#EXAMPLE: 
1066.
#	cache_peer cache.foo.org parent 3128 3130 
1067.
#	neighbor_type_domain cache.foo.org sibling .com .net 
1068.
#	neighbor_type_domain cache.foo.org sibling .au .de 
1069.
1070.
#Default: 
1071.
# none 
1072.
 
1073.
#  TAG: dead_peer_timeout	(seconds) 
1074.
#	This controls how long Squid waits to declare a peer cache 
1075.
#	as "dead."  If there are no ICP replies received in this 
1076.
#	amount of time, Squid will declare the peer dead and not 
1077.
#	expect to receive any further ICP replies.  However, it 
1078.
#	continues to send ICP queries, and will mark the peer as 
1079.
#	alive upon receipt of the first subsequent ICP reply. 
1080.
1081.
#	This timeout also affects when Squid expects to receive ICP 
1082.
#	replies from peers.  If more than 'dead_peer' seconds have 
1083.
#	passed since the last ICP reply was received, Squid will not 
1084.
#	expect to receive an ICP reply on the next query.  Thus, if 
1085.
#	your time between requests is greater than this timeout, you 
1086.
#	will see a lot of requests sent DIRECT to origin servers 
1087.
#	instead of to your parents. 
1088.
1089.
#Default: 
1090.
# dead_peer_timeout 10 seconds 
1091.
 
1092.
#  TAG: hierarchy_stoplist 
1093.
#	A list of words which, if found in a URL, cause the object to 
1094.
#	be handled directly by this cache.  In other words, use this 
1095.
#	to not query neighbor caches for certain objects.  You may 
1096.
#	list this option multiple times. Note: never_direct overrides 
1097.
#	this option. 
1098.
#We recommend you to use at least the following line. 
1099.
hierarchy_stoplist cgi-bin ? 
1100.
 
1101.
 
1102.
# MEMORY CACHE OPTIONS 
1103.
# ----------------------------------------------------------------------------- 
1104.
 
1105.
#  TAG: cache_mem	(bytes) 
1106.
#	NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. 
1107.
#	IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL 
1108.
#	USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER 
1109.
#	THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. 
1110.
1111.
#	'cache_mem' specifies the ideal amount of memory to be used 
1112.
#	for: 
1113.
#		* In-Transit objects 
1114.
#		* Hot Objects 
1115.
#		* Negative-Cached objects 
1116.
1117.
#	Data for these objects are stored in 4 KB blocks.  This 
1118.
#	parameter specifies the ideal upper limit on the total size of 
1119.
#	4 KB blocks allocated.  In-Transit objects take the highest 
1120.
#	priority. 
1121.
1122.
#	In-transit objects have priority over the others.  When 
1123.
#	additional space is needed for incoming data, negative-cached 
1124.
#	and hot objects will be released.  In other words, the 
1125.
#	negative-cached and hot objects will fill up any unused space 
1126.
#	not needed for in-transit objects. 
1127.
1128.
#	If circumstances require, this limit will be exceeded. 
1129.
#	Specifically, if your incoming request rate requires more than 
1130.
#	'cache_mem' of memory to hold in-transit objects, Squid will 
1131.
#	exceed this limit to satisfy the new requests.  When the load 
1132.
#	decreases, blocks will be freed until the high-water mark is 
1133.
#	reached.  Thereafter, blocks will be used to store hot 
1134.
#	objects. 
1135.
1136.
#Default: 
1137.
# cache_mem 8 MB 
1138.
 
1139.
cache_mem 128 MB 
1140.
 
1141.
#  TAG: maximum_object_size_in_memory	(bytes) 
1142.
#	Objects greater than this size will not be attempted to kept in 
1143.
#	the memory cache. This should be set high enough to keep objects 
1144.
#	accessed frequently in memory to improve performance whilst low 
1145.
#	enough to keep larger objects from hoarding cache_mem. 
1146.
1147.
#Default: 
1148.
# maximum_object_size_in_memory 8 KB 
1149.
 
1150.
#  TAG: memory_replacement_policy 
1151.
#	The memory replacement policy parameter determines which 
1152.
#	objects are purged from memory when memory space is needed. 
1153.
1154.
#	See cache_replacement_policy for details. 
1155.
1156.
#Default: 
1157.
# memory_replacement_policy lru 
1158.
 
1159.
 
1160.
# DISK CACHE OPTIONS 
1161.
# ----------------------------------------------------------------------------- 
1162.
 
1163.
#  TAG: cache_replacement_policy 
1164.
#	The cache replacement policy parameter determines which 
1165.
#	objects are evicted (replaced) when disk space is needed. 
1166.
1167.
#	    lru       : Squid's original list based LRU policy 
1168.
#	    heap GDSF : Greedy-Dual Size Frequency 
1169.
#	    heap LFUDA: Least Frequently Used with Dynamic Aging 
1170.
#	    heap LRU  : LRU policy implemented using a heap 
1171.
1172.
#	Applies to any cache_dir lines listed below this. 
1173.
1174.
#	The LRU policies keeps recently referenced objects. 
1175.
1176.
#	The heap GDSF policy optimizes object hit rate by keeping smaller 
1177.
#	popular objects in cache so it has a better chance of getting a 
1178.
#	hit.  It achieves a lower byte hit rate than LFUDA though since 
1179.
#	it evicts larger (possibly popular) objects. 
1180.
1181.
#	The heap LFUDA policy keeps popular objects in cache regardless of 
1182.
#	their size and thus optimizes byte hit rate at the expense of 
1183.
#	hit rate since one large, popular object will prevent many 
1184.
#	smaller, slightly less popular objects from being cached. 
1185.
1186.
#	Both policies utilize a dynamic aging mechanism that prevents 
1187.
#	cache pollution that can otherwise occur with frequency-based 
1188.
#	replacement policies. 
1189.
1190.
#	NOTE: if using the LFUDA replacement policy you should increase 
1191.
#	the value of maximum_object_size above its default of 4096 KB to 
1192.
#	to maximize the potential byte hit rate improvement of LFUDA. 
1193.
1194.
#	For more information about the GDSF and LFUDA cache replacement 
1195.
#	policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html 
1196.
#	and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. 
1197.
1198.
#Default: 
1199.
# cache_replacement_policy lru 
1200.
 
1201.
#  TAG: cache_dir 
1202.
#	Usage: 
1203.
1204.
#	cache_dir Type Directory-Name Fs-specific-data [options] 
1205.
1206.
#	You can specify multiple cache_dir lines to spread the 
1207.
#	cache among different disk partitions. 
1208.
1209.
#	Type specifies the kind of storage system to use. Only "ufs" 
1210.
#	is built by default. To enable any of the other storage systems 
1211.
#	see the --enable-storeio configure option. 
1212.
1213.
#	'Directory' is a top-level directory where cache swap 
1214.
#	files will be stored. If you want to use an entire disk 
1215.
#	for caching, this can be the mount-point directory. 
1216.
#	The directory must exist and be writable by the Squid 
1217.
#	process. Squid will NOT create this directory for you. 
1218.
#	Only using COSS, a raw disk device or a stripe file can 
1219.
#	be specified, but the configuration of the "cache_swap_log" 
1220.
#	tag is mandatory. 
1221.
1222.
#	The ufs store type: 
1223.
1224.
#	"ufs" is the old well-known Squid storage format that has always 
1225.
#	been there. 
1226.
1227.
#	cache_dir ufs Directory-Name Mbytes L1 L2 [options] 
1228.
1229.
#	'Mbytes' is the amount of disk space (MB) to use under this 
1230.
#	directory.  The default is 100 MB.  Change this to suit your 
1231.
#	configuration.  Do NOT put the size of your disk drive here. 
1232.
#	Instead, if you want Squid to use the entire disk drive, 
1233.
#	subtract 20% and use that value. 
1234.
1235.
#	'Level-1' is the number of first-level subdirectories which 
1236.
#	will be created under the 'Directory'.  The default is 16. 
1237.
1238.
#	'Level-2' is the number of second-level subdirectories which 
1239.
#	will be created under each first-level directory.  The default 
1240.
#	is 256. 
1241.
1242.
#	The aufs store type: 
1243.
1244.
#	"aufs" uses the same storage format as "ufs", utilizing 
1245.
#	POSIX-threads to avoid blocking the main Squid process on 
1246.
#	disk-I/O. This was formerly known in Squid as async-io. 
1247.
1248.
#	cache_dir aufs Directory-Name Mbytes L1 L2 [options] 
1249.
1250.
#	see argument descriptions under ufs above 
1251.
1252.
#	The diskd store type: 
1253.
1254.
#	"diskd" uses the same storage format as "ufs", utilizing a 
1255.
#	separate process to avoid blocking the main Squid process on 
1256.
#	disk-I/O. 
1257.
1258.
#	cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] 
1259.
1260.
#	see argument descriptions under ufs above 
1261.
1262.
#	Q1 specifies the number of unacknowledged I/O requests when Squid 
1263.
#	stops opening new files. If this many messages are in the queues, 
1264.
#	Squid won't open new files. Default is 64 
1265.
1266.
#	Q2 specifies the number of unacknowledged messages when Squid 
1267.
#	starts blocking.  If this many messages are in the queues, 
1268.
#	Squid blocks until it receives some replies. Default is 72 
1269.
1270.
#	When Q1 < Q2 (the default), the cache directory is optimized 
1271.
#	for lower response time at the expense of a decrease in hit 
1272.
#	ratio.  If Q1 > Q2, the cache directory is optimized for 
1273.
#	higher hit ratio at the expense of an increase in response 
1274.
#	time. 
1275.
1276.
#	The coss store type: 
1277.
1278.
#	block-size=n defines the "block size" for COSS cache_dir's. 
1279.
#	Squid uses file numbers as block numbers.  Since file numbers 
1280.
#	are limited to 24 bits, the block size determines the maximum 
1281.
#	size of the COSS partition.  The default is 512 bytes, which 
1282.
#	leads to a maximum cache_dir size of 512<<24, or 8 GB.  Note 
1283.
#	you should not change the COSS block size after Squid 
1284.
#	has written some objects to the cache_dir. 
1285.
1286.
#	overwrite-percent=n defines the percentage of disk that COSS 
1287.
#	must write to before a given object will be moved to the 
1288.
#	current stripe.  A value of "n" closer to 100 will cause COSS 
1289.
#	to waste less disk space by having multiple copies of an object 
1290.
#	on disk, but will increase the chances of overwriting a popular 
1291.
#	object as COSS overwrites stripes.  A value of "n" close to 0 
1292.
#	will cause COSS to keep all current objects in the current COSS 
1293.
#	stripe at the expense of the hit rate.  The default value of 50 
1294.
#	will allow any given object to be stored on disk a maximum of 
1295.
#	2 times. 
1296.
1297.
#	max-stripe-waste=n defines the maximum amount of space that COSS 
1298.
#	will waste in a given stripe (in bytes).  When COSS writes data 
1299.
#	to disk, it will potentially waste up to "max-size" worth of disk 
1300.
#	space for each 1MB of data written.  If "max-size" is set to a 
1301.
#	large value (ie >256k), this could potentially result in large 
1302.
#	amounts of wasted disk space. Setting this value to a lower value 
1303.
#	(ie 64k or 32k) will result in a COSS disk refusing to cache 
1304.
#	larger objects until the COSS stripe has been filled to within 
1305.
#	"max-stripe-waste" of the maximum size (1MB). 
1306.
1307.
#	membufs=n defines the number of "memory-only" stripes that COSS 
1308.
#	will use.  When an cache hit is performed on a COSS stripe before 
1309.
#	COSS has reached the overwrite-percent value for that object, 
1310.
#	COSS will use a series of memory buffers to hold the object in 
1311.
#	while the data is sent to the client.  This will define the maximum 
1312.
#	number of memory-only buffers that COSS will use.  The default value 
1313.
#	is 10, which will use a maximum of 10MB of memory for buffers. 
1314.
1315.
#	maxfullbufs=n defines the maximum number of stripes a COSS partition 
1316.
#	will have in memory waiting to be freed (either because the disk is 
1317.
#	under load and the stripe is unwritten, or because clients are still 
1318.
#	transferring data from objects using the memory).  In order to try 
1319.
#	and maintain a good hit rate under load, COSS will reserve the last 
1320.
#	2 full stripes for object hits. (ie a COSS cache_dir will reject 
1321.
#	new objects when the number of full stripes is 2 less than maxfullbufs) 
1322.
1323.
#	The null store type: 
1324.
1325.
#	no options are allowed or required 
1326.
1327.
#	Common options: 
1328.
1329.
#	no-store, no new objects should be stored to this cache_dir 
1330.
1331.
#	min-size=n, refers to the min object size this storedir will accept. 
1332.
#	It's used to restrict a storedir to only store large objects 
1333.
#	(e.g. aufs) while other storedirs are optimized for smaller objects 
1334.
#	(e.g. COSS). Defaults to 0. 
1335.
1336.
#	max-size=n, refers to the max object size this storedir supports. 
1337.
#	It is used to initially choose the storedir to dump the object. 
1338.
#	Note: To make optimal use of the max-size limits you should order 
1339.
#	the cache_dir lines with the smallest max-size value first and the 
1340.
#	ones with no max-size specification last. 
1341.
1342.
#	Note that for coss, max-size must be less than COSS_MEMBUF_SZ 
1343.
#	(hard coded at 1 MB). 
1344.
1345.
#Default: 
1346.
# cache_dir ufs c:/squid/var/cache 100 16 256 
1347.
 
1348.
cache_dir ufs c:/squid/var/cache 512 32 128 
1349.
 
1350.
#  TAG: store_dir_select_algorithm 
1351.
#	Set this to 'round-robin' as an alternative. 
1352.
1353.
#Default: 
1354.
# store_dir_select_algorithm least-load 
1355.
 
1356.
#  TAG: max_open_disk_fds 
1357.
#	To avoid having disk as the I/O bottleneck Squid can optionally 
1358.
#	bypass the on-disk cache if more than this amount of disk file 
1359.
#	descriptors are open. 
1360.
1361.
#	A value of 0 indicates no limit. 
1362.
1363.
#Default: 
1364.
# max_open_disk_fds 0 
1365.
 
1366.
#  TAG: minimum_object_size	(bytes) 
1367.
#	Objects smaller than this size will NOT be saved on disk.  The 
1368.
#	value is specified in kilobytes, and the default is 0 KB, which 
1369.
#	means there is no minimum. 
1370.
1371.
#Default: 
1372.
# minimum_object_size 0 KB 
1373.
 
1374.
#  TAG: maximum_object_size	(bytes) 
1375.
#	Objects larger than this size will NOT be saved on disk.  The 
1376.
#	value is specified in kilobytes, and the default is 4MB.  If 
1377.
#	you wish to get a high BYTES hit ratio, you should probably 
1378.
#	increase this (one 32 MB object hit counts for 3200 10KB 
1379.
#	hits).  If you wish to increase speed more than your want to 
1380.
#	save bandwidth you should leave this low. 
1381.
1382.
#	NOTE: if using the LFUDA replacement policy you should increase 
1383.
#	this value to maximize the byte hit rate improvement of LFUDA! 
1384.
#	See replacement_policy below for a discussion of this policy. 
1385.
1386.
#Default: 
1387.
# maximum_object_size 4096 KB 
1388.
 
1389.
#  TAG: cache_swap_low	(percent, 0-100) 
1390.
#  TAG: cache_swap_high	(percent, 0-100) 
1391.
1392.
#	The low- and high-water marks for cache object replacement. 
1393.
#	Replacement begins when the swap (disk) usage is above the 
1394.
#	low-water mark and attempts to maintain utilization near the 
1395.
#	low-water mark.  As swap utilization gets close to high-water 
1396.
#	mark object eviction becomes more aggressive.  If utilization is 
1397.
#	close to the low-water mark less replacement is done each time. 
1398.
1399.
#	Defaults are 90% and 95%. If you have a large cache, 5% could be 
1400.
#	hundreds of MB. If this is the case you may wish to set these 
1401.
#	numbers closer together. 
1402.
1403.
#Default: 
1404.
# cache_swap_low 90 
1405.
# cache_swap_high 95 
1406.
 
1407.
#  TAG: update_headers	on|off 
1408.
#	By default Squid updates stored HTTP headers when receiving 
1409.
#	a 304 response. Set this to off if you want to disable this 
1410.
#	for disk I/O performance reasons. Disabling this VIOLATES the 
1411.
#	HTTP standard, and could make you liable for problems which it 
1412.
#	causes. 
1413.
1414.
#Default: 
1415.
# update_headers on 
1416.
 
1417.
 
1418.
# LOGFILE OPTIONS 
1419.
# ----------------------------------------------------------------------------- 
1420.
 
1421.
#  TAG: logformat 
1422.
#	Usage: 
1423.
1424.
#	logformat <name> <format specification> 
1425.
1426.
#	Defines an access log format. 
1427.
1428.
#	The <format specification> is a string with embedded % format codes 
1429.
1430.
#	% format codes all follow the same basic structure where all but 
1431.
#	the formatcode is optional. Output strings are automatically escaped 
1432.
#	as required according to their context and the output format 
1433.
#	modifiers are usually not needed, but can be specified if an explicit 
1434.
#	output format is desired. 
1435.
1436.
#		% ["|[|'|#] [-] [[0]width] [{argument}] formatcode 
1437.
1438.
#		"	output in quoted string format 
1439.
#		[	output in squid text log format as used by log_mime_hdrs 
1440.
#		#	output in URL quoted format 
1441.
#		'	output as-is 
1442.
1443.
#		-	left aligned 
1444.
#		width	field width. If starting with 0 the 
1445.
#			output is zero padded 
1446.
#		{arg}	argument such as header name etc 
1447.
1448.
#	Format codes: 
1449.
1450.
#		>a	Client source IP address 
1451.
#		>A	Client FQDN 
1452.
#		>p	Client source port 
1453.
#		<A	Server IP address or peer name 
1454.
#		la	Local IP address (http_port) 
1455.
#		lp	Local port number (http_port) 
1456.
#		oa	Our outgoing IP address (tcp_outgoing_address) 
1457.
#		ts	Seconds since epoch 
1458.
#		tu	subsecond time (milliseconds) 
1459.
#		tl	Local time. Optional strftime format argument 
1460.
#			default %d/%b/%Y:%H:%M:%S %z 
1461.
#		tg	GMT time. Optional strftime format argument 
1462.
#			default %d/%b/%Y:%H:%M:%S %z 
1463.
#		tr	Response time (milliseconds) 
1464.
#		>h	Request header. Optional header name argument 
1465.
#			on the format header[:[separator]element] 
1466.
#		<h	Reply header. Optional header name argument 
1467.
#			as for >h 
1468.
#		un	User name 
1469.
#		ul	User name from authentication 
1470.
#		ui	User name from ident 
1471.
#		us	User name from SSL 
1472.
#		ue	User name from external acl helper 
1473.
#		Hs	HTTP status code 
1474.
#		Ss	Squid request status (TCP_MISS etc) 
1475.
#		Sh	Squid hierarchy status (DEFAULT_PARENT etc) 
1476.
#		mt	MIME content type 
1477.
#		rm	Request method (GET/POST etc) 
1478.
#		ru	Request URL 
1479.
#		rp	Request URL-Path excluding hostname 
1480.
#		rv	Request protocol version 
1481.
#		ea	Log string returned by external acl 
1482.
#		<st	Reply size including HTTP headers 
1483.
#		>st	Request size including HTTP headers 
1484.
#		st	Request+Reply size including HTTP headers 
1485.
#		sn	Unique sequence number per log line entry 
1486.
#		%	a literal % character 
1487.
1488.
#	The default formats available (which do not need re-defining) are: 
1489.
1490.
#logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt 
1491.
#logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h] 
1492.
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh 
1493.
#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh 
1494.
1495.
#Default: 
1496.
# none 
1497.
 
1498.
logformat hsshsp %{%d.%m.%Y %H:%M:%S}tl %>a %ul %rm %Ss %ru 
1499.
 
1500.
#  TAG: access_log 
1501.
#	These files log client request activities. Has a line every HTTP or 
1502.
#	ICP request. The format is: 
1503.
#	access_log <filepath> [<logformat name> [acl acl ...]] 
1504.
#	access_log none [acl acl ...]] 
1505.
1506.
#	Will log to the specified file using the specified format (which 
1507.
#	must be defined in a logformat directive) those entries which match 
1508.
#	ALL the acl's specified (which must be defined in acl clauses). 
1509.
#	If no acl is specified, all requests will be logged to this file. 
1510.
1511.
#	To disable logging of a request use the filepath "none", in which case 
1512.
#	a logformat name should not be specified. 
1513.
1514.
#	To log the request via syslog specify a filepath of "syslog": 
1515.
1516.
#	access_log syslog[:facility.priority] [format [acl1 [acl2 ....]]] 
1517.
#	where facility could be any of: 
1518.
#	authpriv, daemon, local0 .. local7 or user. 
1519.
1520.
#	And priority could be any of: 
1521.
#	err, warning, notice, info, debug. 
1522.
 
1523.
access_log c:/squid/var/logs/access.log hsshsp 
1524.
 
1525.
#  TAG: log_access	allow|deny acl acl... 
1526.
#	This options allows you to control which requests gets logged 
1527.
#	to access.log (see access_log directive). Requests denied for 
1528.
#	logging will also not be accounted for in performance counters. 
1529.
1530.
#Default: 
1531.
# none 
1532.
 
1533.
#  TAG: logfile_daemon 
1534.
#	Specify the path to the logfile-writing daemon. This daemon is 
1535.
#	used to write the access and store logs, if configured. 
1536.
1537.
#Default: 
1538.
# logfile_daemon c:/squid/libexec/logfile-daemon.exe 
1539.
 
1540.
#  TAG: cache_log 
1541.
#	Cache logging file. This is where general information about 
1542.
#	your cache's behavior goes. You can increase the amount of data 
1543.
#	logged to this file with the "debug_options" tag below. 
1544.
1545.
#Default: 
1546.
# cache_log c:/squid/var/logs/cache.log 
1547.
 
1548.
cache_log c:/squid/var/logs/cache.log 
1549.
 
1550.
#  TAG: cache_store_log 
1551.
#	Logs the activities of the storage manager.  Shows which 
1552.
#	objects are ejected from the cache, and which objects are 
1553.
#	saved and for how long.  To disable, enter "none". There are 
1554.
#	not really utilities to analyze this data, so you can safely 
1555.
#	disable it. 
1556.
1557.
#Default: 
1558.
# cache_store_log c:/squid/var/logs/store.log 
1559.
 
1560.
cache_store_log c:/squid/var/logs/store.log 
1561.
 
1562.
#  TAG: cache_swap_state 
1563.
#	Location for the cache "swap.state" file. This index file holds 
1564.
#	the metadata of objects saved on disk.  It is used to rebuild 
1565.
#	the cache during startup.  Normally this file resides in each 
1566.
#	'cache_dir' directory, but you may specify an alternate 
1567.
#	pathname here.  Note you must give a full filename, not just 
1568.
#	a directory. Since this is the index for the whole object 
1569.
#	list you CANNOT periodically rotate it! 
1570.
1571.
#	If %s can be used in the file name it will be replaced with a 
1572.
#	a representation of the cache_dir name where each / is replaced 
1573.
#	with '.'. This is needed to allow adding/removing cache_dir 
1574.
#	lines when cache_swap_log is being used. 
1575.
1576.
#	If have more than one 'cache_dir', and %s is not used in the name 
1577.
#	these swap logs will have names such as: 
1578.
1579.
#		cache_swap_log.00 
1580.
#		cache_swap_log.01 
1581.
#		cache_swap_log.02 
1582.
1583.
#	The numbered extension (which is added automatically) 
1584.
#	corresponds to the order of the 'cache_dir' lines in this 
1585.
#	configuration file.  If you change the order of the 'cache_dir' 
1586.
#	lines in this file, these index files will NOT correspond to 
1587.
#	the correct 'cache_dir' entry (unless you manually rename 
1588.
#	them).  We recommend you do NOT use this option.  It is 
1589.
#	better to keep these index files in each 'cache_dir' directory. 
1590.
1591.
#Default: 
1592.
# none 
1593.
 
1594.
#  TAG: logfile_rotate 
1595.
#	Specifies the number of logfile rotations to make when you 
1596.
#	type 'squid -k rotate'.  The default is 10, which will rotate 
1597.
#	with extensions 0 through 9.  Setting logfile_rotate to 0 will 
1598.
#	disable the file name rotation, but the logfiles are still closed 
1599.
#	and re-opened.  This will enable you to rename the logfiles 
1600.
#	yourself just before sending the rotate signal. 
1601.
1602.
#	Note, the 'squid -k rotate' command normally sends a USR1 
1603.
#	signal to the running squid process.  In certain situations 
1604.
#	(e.g. on Linux with Async I/O), USR1 is used for other 
1605.
#	purposes, so -k rotate uses another signal.  It is best to get 
1606.
#	in the habit of using 'squid -k rotate' instead of 'kill -USR1 
1607.
#	<pid>'. 
1608.
1609.
#Default: 
1610.
# logfile_rotate 10 
1611.
 
1612.
#  TAG: emulate_httpd_log	on|off 
1613.
#	The Cache can emulate the log file format which many 'httpd' 
1614.
#	programs use.  To disable/enable this emulation, set 
1615.
#	emulate_httpd_log to 'off' or 'on'.  The default 
1616.
#	is to use the native log format since it includes useful 
1617.
#	information Squid-specific log analyzers use. 
1618.
1619.
#Default: 
1620.
# emulate_httpd_log off 
1621.
 
1622.
#  TAG: log_ip_on_direct	on|off 
1623.
#	Log the destination IP address in the hierarchy log tag when going 
1624.
#	direct. Earlier Squid versions logged the hostname here. If you 
1625.
#	prefer the old way set this to off. 
1626.
1627.
#Default: 
1628.
# log_ip_on_direct on 
1629.
 
1630.
#  TAG: mime_table 
1631.
#	Pathname to Squid's MIME table. You shouldn't need to change 
1632.
#	this, but the default file contains examples and formatting 
1633.
#	information if you do. 
1634.
1635.
#Default: 
1636.
# mime_table c:/squid/etc/mime.conf 
1637.
 
1638.
mime_table c:/squid/etc/mime.conf 
1639.
 
1640.
#  TAG: log_mime_hdrs	on|off 
1641.
#	The Cache can record both the request and the response MIME 
1642.
#	headers for each HTTP transaction.  The headers are encoded 
1643.
#	safely and will appear as two bracketed fields at the end of 
1644.
#	the access log (for either the native or httpd-emulated log 
1645.
#	formats).  To enable this logging set log_mime_hdrs to 'on'. 
1646.
1647.
#Default: 
1648.
# log_mime_hdrs off 
1649.
 
1650.
#  TAG: useragent_log 
1651.
#	Squid will write the User-Agent field from HTTP requests 
1652.
#	to the filename specified here.  By default useragent_log 
1653.
#	is disabled. 
1654.
1655.
#Default: 
1656.
# none 
1657.
 
1658.
#  TAG: referer_log 
1659.
#	Squid will write the Referer field from HTTP requests to the 
1660.
#	filename specified here.  By default referer_log is disabled. 
1661.
#	Note that "referer" is actually a misspelling of "referrer" 
1662.
#	however the misspelt version has been accepted into the HTTP RFCs 
1663.
#	and we accept both. 
1664.
1665.
#Default: 
1666.
# none 
1667.
 
1668.
#  TAG: pid_filename 
1669.
#	A filename to write the process-id to.  To disable, enter "none". 
1670.
1671.
#Default: 
1672.
# pid_filename c:/squid/var/logs/squid.pid 
1673.
 
1674.
#  TAG: debug_options 
1675.
#	Logging options are set as section,level where each source file 
1676.
#	is assigned a unique section.  Lower levels result in less 
1677.
#	output,  Full debugging (level 9) can result in a very large 
1678.
#	log file, so be careful.  The magic word "ALL" sets debugging 
1679.
#	levels for all sections.  We recommend normally running with 
1680.
#	"ALL,1". 
1681.
1682.
#Default: 
1683.
# debug_options ALL,1 
1684.
 
1685.
#  TAG: log_fqdn	on|off 
1686.
#	Turn this on if you wish to log fully qualified domain names 
1687.
#	in the access.log. To do this Squid does a DNS lookup of all 
1688.
#	IP's connecting to it. This can (in some situations) increase 
1689.
#	latency, which makes your cache seem slower for interactive 
1690.
#	browsing. 
1691.
1692.
#Default: 
1693.
# log_fqdn off 
1694.
log_fqdn off 
1695.
 
1696.
#  TAG: client_netmask 
1697.
#	A netmask for client addresses in logfiles and cachemgr output. 
1698.
#	Change this to protect the privacy of your cache clients. 
1699.
#	A netmask of 255.255.255.0 will log all IP's in that range with 
1700.
#	the last digit set to '0'. 
1701.
1702.
#Default: 
1703.
# client_netmask 255.255.255.255 
1704.
 
1705.
#  TAG: forward_log 
1706.
# Note: This option is only available if Squid is rebuilt with the 
1707.
#       --enable-forward-log option 
1708.
1709.
#	Logs the server-side requests. 
1710.
1711.
#	This is currently work in progress. 
1712.
1713.
#Default: 
1714.
# none 
1715.
 
1716.
#  TAG: strip_query_terms 
1717.
#	By default, Squid strips query terms from requested URLs before 
1718.
#	logging.  This protects your user's privacy. 
1719.
1720.
#Default: 
1721.
# strip_query_terms on 
1722.
 
1723.
#  TAG: buffered_logs	on|off 
1724.
#	cache.log log file is written with stdio functions, and as such 
1725.
#	it can be buffered or unbuffered. By default it will be unbuffered. 
1726.
#	Buffering it can speed up the writing slightly (though you are 
1727.
#	unlikely to need to worry unless you run with tons of debugging 
1728.
#	enabled in which case performance will suffer badly anyway..). 
1729.
1730.
#Default: 
1731.
# buffered_logs off 
1732.
 
1733.
#  TAG: netdb_filename 
1734.
#	A filename where Squid stores it's netdb state between restarts. 
1735.
#	To disable, enter "none". 
1736.
1737.
#Default: 
1738.
# netdb_filename c:/squid/var/logs/netdb.state 
1739.
 
1740.
 
1741.
# OPTIONS FOR FTP GATEWAYING 
1742.
# ----------------------------------------------------------------------------- 
1743.
 
1744.
#  TAG: ftp_user 
1745.
#	If you want the anonymous login password to be more informative 
1746.
#	(and enable the use of picky ftp servers), set this to something 
1747.
#	reasonable for your domain, like wwwuser@somewhere.net 
1748.
1749.
#	The reason why this is domainless by default is the 
1750.
#	request can be made on the behalf of a user in any domain, 
1751.
#	depending on how the cache is used. 
1752.
#	Some ftp server also validate the email address is valid 
1753.
#	(for example perl.com). 
1754.
1755.
#Default: 
1756.
# ftp_user Squid@ 
1757.
 
1758.
#  TAG: ftp_list_width 
1759.
#	Sets the width of ftp listings. This should be set to fit in 
1760.
#	the width of a standard browser. Setting this too small 
1761.
#	can cut off long filenames when browsing ftp sites. 
1762.
1763.
#Default: 
1764.
# ftp_list_width 32 
1765.
 
1766.
#  TAG: ftp_passive 
1767.
#	If your firewall does not allow Squid to use passive 
1768.
#	connections, turn off this option. 
1769.
1770.
#Default: 
1771.
# ftp_passive on
Bitte warten ..
Mitglied: Dani
30.12.2011 um 10:42 Uhr
Übersichtlich ist auch was anderes... du hättest auch nur die Zeilen posten können, die du aktiv hast. Damit würde es keinen Roman hingeben!

Ich habe mir die Mühe gemacht und die einzelnen Zeilen kopiert. Versuch es mal damit:
01.
acl all src 0.0.0.0/0.0.0.0  
02.
acl localnet src 10.0.0.0/8		# RFC1918 possible internal network 
03.
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network 
04.
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network 
05.
06.
acl SSL_ports port 443 
07.
acl Safe_ports port 80		# http 
08.
acl Safe_ports port 8080	# http2 
09.
acl Safe_ports port 21		# ftp 
10.
acl Safe_ports port 443		# https 
11.
acl Safe_ports port 70		# gopher 
12.
acl Safe_ports port 210		# wais 
13.
#acl Safe_ports port 1025-65535	# unregistered ports 
14.
acl Safe_ports port 280		# http-mgmt 
15.
acl Safe_ports port 488		# gss-http 
16.
acl Safe_ports port 591		# filemaker 
17.
acl Safe_ports port 777		# multiling http 
18.
acl Safe_ports port 3000	# Star Money 
19.
acl Safe_ports port 1080	# Star Money 
20.
acl CONNECT method CONNECT 
21.
22.
http_access allow manager localhost 
23.
http_access allow localnet 
24.
http_access deny manager 
25.
26.
http_access deny !Safe_ports 
27.
http_access deny CONNECT !SSL_ports 
28.
http_access deny all 
29.
30.
icp_access allow localnet 
31.
icp_access deny all 
32.
33.
http_port 3128 
34.
cache_mem 128 MB 
35.
cache_dir ufs c:/squid/var/cache 512 32 128 
36.
37.
logformat hsshsp %{%d.%m.%Y %H:%M:%S}tl %>a %ul %rm %Ss %ru 
38.
39.
access_log c:/squid/var/logs/access.log hsshsp 
40.
cache_log c:/squid/var/logs/cache.log 
41.
cache_store_log c:/squid/var/logs/store.log 
42.
mime_table c:/squid/etc/mime.conf 
43.
log_fqdn off
Bitte warten ..
Mitglied: mcafeehasser
30.12.2011 um 14:28 Uhr
Hallo Dani,

erstmal Danke für die Mühe.

Wenn ich eine Squid.Conf Datei anlege, die nur diesen Inhalt hat, startet der Squid Dienst nicht.

Die Änderungen an meiner Original Squid.Conf Datei haben keine Änderung verursacht. Der Rechner an dem Squid läuft kommt ins Internet, die Clients weiterhin nicht.
Bitte warten ..
Mitglied: Dani
30.12.2011 um 14:31 Uhr
Kannst du mir sagen, warum hier
01.
access_log c:/squid/var/logs/access.log hsshsp
ein hsshsp dahinter steht?!

Wenn ich eine Squid.Conf Datei anlege, die nur diesen Inhalt hat, startet der Squid Dienst nicht.
Hmm... Gibts ne Fehlermeldung? Ansonsten schau mal selbst, was ich vergessen habe zu kopieren.
Bitte warten ..
Mitglied: mcafeehasser
30.12.2011 um 15:10 Uhr
damit folgende formatierung: logformat hsshsp %{%d.%m.%Y %H:%M:%S}tl %>a %ul %rm %Ss %ru
benutzt wird.

Fehlermeldungen gibt es keine. Nur beim Versuch den Dienst zu starten erscheint die Meldung, dass der Dienst beendet wurde
da er nicht benutzt wird.

Sollten denn die Einträge Deiner "Squid.conf" an sich ausreichen, damit der Squid arbeiten kann?
Bitte warten ..
Mitglied: Dani
30.12.2011 um 15:19 Uhr
Ah okay... na gut. Ich habe mir eben selber ein Squid for Windows installiert. In den Logdateien steht genau drin, was ihm nicht passt.
Meine Konfig sieht so aus und funktioniert auch:
01.
acl all src 0.0.0.0/0.0.0.0  
02.
acl localhost src 127.0.0.1/32 
03.
acl localnet src 10.0.0.0/8		# RFC1918 possible internal network 
04.
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network 
05.
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network 
06.
07.
acl SSL_ports port 443 
08.
acl Safe_ports port 80		# http 
09.
acl Safe_ports port 8080	# http2 
10.
acl Safe_ports port 21		# ftp 
11.
acl Safe_ports port 443		# https 
12.
acl Safe_ports port 70		# gopher 
13.
acl Safe_ports port 210		# wais 
14.
#acl Safe_ports port 1025-65535	# unregistered ports 
15.
acl Safe_ports port 280		# http-mgmt 
16.
acl Safe_ports port 488		# gss-http 
17.
acl Safe_ports port 591		# filemaker 
18.
acl Safe_ports port 777		# multiling http 
19.
acl Safe_ports port 3000	# Star Money 
20.
acl Safe_ports port 1080	# Star Money 
21.
acl CONNECT method CONNECT 
22.
23.
http_access allow localhost 
24.
http_access allow localnet 
25.
26.
http_access deny !Safe_ports 
27.
http_access deny CONNECT !SSL_ports 
28.
http_access deny all 
29.
30.
icp_access allow localnet 
31.
icp_access deny all 
32.
33.
http_port 3128 
34.
cache_mem 128 MB 
35.
cache_dir ufs c:/squid/var/cache 512 32 128 
36.
37.
logformat hsshsp %{%d.%m.%Y %H:%M:%S}tl %>a %ul %rm %Ss %ru 
38.
39.
access_log c:/squid/var/logs/access.log hsshsp 
40.
cache_log c:/squid/var/logs/cache.log 
41.
cache_store_log c:/squid/var/logs/store.log 
42.
mime_table c:/squid/etc/mime.conf 
43.
log_fqdn off
Ggf. musst du das Cache-Verzeichnis komplett löschen und neu anlegen lassen.


Grüße,
Dani
Bitte warten ..
Mitglied: mcafeehasser
30.12.2011, aktualisiert 10.10.2012
So, mit der Conf startet der Squid jetzt nachdem ich den Cache neu angelegt habe.

Eintrag der cache.log:
01.
2011/12/30 15:54:04| Starting Squid Cache version 2.7.STABLE8 for i686-pc-winnt... 
02.
2011/12/30 15:54:04| Running as SQUID Windows System Service on Windows Server 2008 
03.
2011/12/30 15:54:04| Service command line is:  
04.
2011/12/30 15:54:04| Process ID 18064 
05.
2011/12/30 15:54:04| With 2048 file descriptors available 
06.
2011/12/30 15:54:04| With 2048 CRT stdio descriptors available 
07.
2011/12/30 15:54:04| Windows sockets initialized 
08.
2011/12/30 15:54:04| Using select for the IO loop 
09.
2011/12/30 15:54:04| Performing DNS Tests... 
10.
2011/12/30 15:54:04| Successful DNS name lookup tests... 
11.
2011/12/30 15:54:04| DNS Socket created at 0.0.0.0, port 62700, FD 5 
12.
2011/12/30 15:54:04| Adding nameserver 192.168.97.4 from Registry 
13.
2011/12/30 15:54:04| Adding domain hsshsp.local from Registry 
14.
2011/12/30 15:54:04| User-Agent logging is disabled. 
15.
2011/12/30 15:54:04| Referer logging is disabled. 
16.
2011/12/30 15:54:04| logfileOpen: opening log c:/squid/var/logs/access.log 
17.
2011/12/30 15:54:04| Unlinkd pipe opened on FD 8 
18.
2011/12/30 15:54:04| Swap maxSize 524288 + 131072 KB, estimated 50412 objects 
19.
2011/12/30 15:54:04| Target number of buckets: 2520 
20.
2011/12/30 15:54:04| Using 8192 Store buckets 
21.
2011/12/30 15:54:04| Max Mem  size: 131072 KB 
22.
2011/12/30 15:54:04| Max Swap size: 524288 KB 
23.
2011/12/30 15:54:04| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 
24.
2011/12/30 15:54:04| logfileOpen: opening log c:/squid/var/logs/store.log 
25.
2011/12/30 15:54:04| Rebuilding storage in c:/squid/var/cache (DIRTY) 
26.
2011/12/30 15:54:04| Using Least Load store dir selection 
27.
2011/12/30 15:54:04| Current Directory is c:\squid\sbin 
28.
2011/12/30 15:54:04| Loaded Icons. 
29.
2011/12/30 15:54:04| Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 13. 
30.
2011/12/30 15:54:04| Accepting ICP messages at 0.0.0.0, port 3130, FD 14. 
31.
2011/12/30 15:54:04| Accepting HTCP messages on port 4827, FD 15. 
32.
2011/12/30 15:54:04| Accepting SNMP messages on port 3401, FD 16. 
33.
2011/12/30 15:54:04| Ready to serve requests. 
34.
2011/12/30 15:54:07| Done scanning c:/squid/var/cache (0 entries) 
35.
2011/12/30 15:54:07| Finished rebuilding storage from disk. 
36.
2011/12/30 15:54:07|         0 Entries scanned 
37.
2011/12/30 15:54:07|         0 Invalid entries. 
38.
2011/12/30 15:54:07|         0 With invalid flags. 
39.
2011/12/30 15:54:07|         0 Objects loaded. 
40.
2011/12/30 15:54:07|         0 Objects expired. 
41.
2011/12/30 15:54:07|         0 Objects cancelled. 
42.
2011/12/30 15:54:07|         0 Duplicate URLs purged. 
43.
2011/12/30 15:54:07|         0 Swapfile clashes avoided. 
44.
2011/12/30 15:54:07|   Took 3.1 seconds (   0.0 objects/sec). 
45.
2011/12/30 15:54:07| Beginning Validation Procedure 
46.
2011/12/30 15:54:07|   Completed Validation Procedure 
47.
2011/12/30 15:54:07|   Validated 0 Entries 
48.
2011/12/30 15:54:07|   store_swap_size = 0k 
49.
2011/12/30 15:54:08| storeLateRelease: released 0 objects
Eintrag der Access.log:
01.
30.12.2011 15:54:23 192.168.97.4 - GET TCP_MISS http://www.google.de/ 
02.
30.12.2011 15:54:25 192.168.97.4 - GET TCP_MISS http://clients1.google.de/generate_204 
03.
30.12.2011 15:54:26 192.168.97.4 - GET TCP_MISS http://www.google.de/csi? 
04.
30.12.2011 15:56:21 192.168.97.4 - POST TCP_MISS http://safebrowsing.clients.google.com/safebrowsing/downloads? 
05.
30.12.2011 15:56:24 192.168.97.4 - GET TCP_MISS http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEY8K4EIPSuBCoFcxcBAAMyBXAXAQAH 
06.
30.12.2011 15:57:35 192.168.97.4 - GET TCP_MISS http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAAYy-wDINTsAzIGS_YAAP8D 
07.
30.12.2011 15:57:36 192.168.97.4 - GET TCP_MISS http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchABGPu3BSD8twUqBfxbAQABMgX7WwEAAQ 
08.
30.12.2011 15:57:36 192.168.97.4 - GET TCP_MISS http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGOfPCyDozwsyBefnAgAD 
09.
30.12.2011 15:57:36 192.168.97.4 - GET TCP_MISS http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGOnPCyCQ0AsqCe7nAgD_____BzIF6ecCAB8
192.168.97.4 ist der Rechner mit SQUID. Der Verbindungsversuch des Clients taucht nicht mal auf in der Log.
Bitte warten ..
Mitglied: Dani
30.12.2011 um 16:15 Uhr
Hmm.. Hast du die (Windows)-Firewall zum Test deaktiviert?!
In meiner Testumgebung kommen die Clients auf den Proxy. Dein IP-Bereich ist identisch mit den dereien am Anfang der der Konfiguration. Die beide wo du nicht brauchst, einfach auskommentieren.


Grüße,
Dani
Bitte warten ..
Mitglied: mcafeehasser
30.12.2011 um 16:37 Uhr
Aye..die Firewall (Windows) an den Clients hatten wir schon aus, nur an die am SBS 2011 hatten wir nicht gedacht -.-

Jetzt funktioniert es. Vielen Dank )

Nur noch die Firewallausnahmen ich finden muss ^^, weil deaktivieren möchte ich die ungern dauerhaft.
Bitte warten ..
Mitglied: Dani
30.12.2011 um 16:38 Uhr
Naja,
Port 3128 eingehen erlauben.


Grüße,
Dani
Bitte warten ..
Mitglied: mcafeehasser
30.12.2011 um 17:49 Uhr
Jap, soweit klar. Nur bei dem Blick auf die Firewallregeln wurde mir ganz seltsam.

Der Mcafee Enterprise (siehe meinen Nicname ^^) hat da nicht unerheblich Einträge vorgenommen. Werde die Sache morgen machen, für heute reichts.

Vielen Dank nochmal für Deine Hilfe *verbeug*
Bitte warten ..
Neuester Wissensbeitrag
Windows 10

Powershell 5 BSOD

(8)

Tipp von agowa338 zum Thema Windows 10 ...

Ähnliche Inhalte
Notebook & Zubehör
gelöst HP 8770W - LAN Netzwerkproblem (Aufbau, Geschwindigkeit) (7)

Frage von RiceManu zum Thema Notebook & Zubehör ...

Monitoring
gelöst Netzwerkproblem ( Auslastung) mit Wireshark finden (4)

Frage von Thekivi zum Thema Monitoring ...

Heiß diskutierte Inhalte
Microsoft
Ordner mit LW-Buchstaben versehen und benennen (20)

Frage von Xaero1982 zum Thema Microsoft ...

Outlook & Mail
gelöst Outlook 2010 findet ost datei nicht (19)

Frage von Floh21 zum Thema Outlook & Mail ...

Netzwerkmanagement
gelöst Anregungen, kleiner Betrieb, IT-Umgebung (18)

Frage von Unwichtig zum Thema Netzwerkmanagement ...

Festplatten, SSD, Raid
M.2 SSD wird nicht erkannt (14)

Frage von uridium69 zum Thema Festplatten, SSD, Raid ...