NETWORK PARAMETERS

Network parameters control network configuration, e.g. communication ports, secure network access and options, SSL options, inter-cache communication, multicast ICP queries etc.

http_port	https_port	ssl_unclean_shutdown	ssl_engine	sslproxy_client_certificate
sslproxy_client_key	sslproxy_version	sslproxy_options	sslproxy_cipher	sslproxy_cafile
sslproxy_capath	sslproxy_flags	sslpassword_program	icp_port	htcp_port
mcast_groups	udp_incoming_address	udp_outgoing_address

TAG NAME: http_port

Description	Port where Squid will listen for clients http requests
Build Option	Default
Usage	http_port port [options] http_port hostname:port [options] http_port ip_adderss:port [options]
Default	none

Synopsis
This parameter allows the user to define the address on which Squid will listen for client's http requests. This is a required parameter, and there are no defaults.
Without this configuration, Squid will never start. Arguments

port	Port to which Squid will bind the socket
hostname	hostname to which Squid will bind the socket
ip_address	ip_address to which Squid will bind the socket

When a hostname or IP address is specified (as shown in variations 2 and 3 above), Squid binds the socket to that specific address.

Note: The http_port parameter may be specified multiple times, with different addresses each time. This will cause Squid to listen on multiple ports.

Options are arguments that further control the behavior of the Squid proxy. The supported values are explained in the table below:

Options	Functions
transparent	Support for transparent interception of outgoing requests without browser settings
accel	Accelerator mode. Also needs at least one of vhost/vport/defaultsite.
defaultsite=	Main web site name for accelerators. Implies accel.
vhost	Accelerator using the Host header for virtual domain support.
vport	Accelerator using the Host header for virtual domain support.
vport=	As above, but uses specified port number rather than the http_port number.
urlgroup=	Default urlgroup to mark requests with.
protocol=	Protocol to reconstruct accelerated requests with. Defaults to http.
no-connection-auth	Prevent forwarding of Microsoft connection oriented authentication.
tproxy	Support Linux TPROXY for spoofing outgoing connections using the client IP address.

Example(s)
http_port 3128
http_port 172.16.1.53:3300
http_port 172.16.1.53:80 accel defaultsite=visolve.com
http_port 3128 transparent

TAG NAME: https_port

Description	Port where Squid will listen for clients https requests
Build Option	--enable-ssl
Usage	https_port [ip:]port cert=certificate.pem key=key.pem] [options...]
Default	none

Synopsis
This parameter specifies the address where Squid will listen for client's https requests. Its role is significant when Squid is configured in accelerator mode where SSL works to be done. Arguments

ip	IP Address to which Squid will bind the socket
port	Port to which Squid will bind the socket
cert=certificate.pem	Path and the file name where SSL certificate is located
key=key.pem	Path and the file name where SSL private key for the certificate is located

options controls other additional features and are explained in the table below:

Options	Functions
accel	Accelerator mode. Also needs at least one of defaultsite or vhost.
defaultsite=	The name of the https site presented on this port
vhost	Domain based virtual host support. Useful in combination with a wildcard certificate or other certificates valid for more than one domain. Implies accel.
urlgroup=	Default urlgroup to mark requests with
protocol=	Protocol to reconstruct accelerated requests with. Defaults to https.
cert=	Path to SSL certificate (PEM format)
key=	Path to SSL private key file (PEM format) if not specified, the certificate file is assumed to be a combined certificate and key file
version=	The version of SSL/TLS supported 1 automatic (default) 2 SSLv2 only 3 SSLv3 only 4 TLSv1 only
cipher=	Colon separated list of supported ciphers
options=	Various SSL engine options. The most important being: NO_SSLv2 Disallow the use of SSLv2 NO_SSLv3 Disallow the use of SSLv3 NO_TLSv1 Disallow the use of TLSv1 SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges See src/ssl_support.cc or OpenSSL SSL_CTX_set_options documentation for a complete list of options.
clientca=	File containing the list of CAs to use when requesting a client certificate
cafile=	File containing additional CA certificates to use when verifying client certificates. If unset clientca will be used.
capath=	Directory containing additional CA certificates to use when verifying client certificates
dhparams=	File containing DH parameters for temporary/ephemeral DH key exchanges
sslflags=	Various flags modifying the use of SSL: DELAYED_AUTH - Don't request client certificates immediately, but wait until acl processing requires a certificate NO_DEFAULT_CA - Don't use the default CA list built in to OpenSSL. NO_SESSION_REUSE - Don't allow for session reuse. Each connection will result in a new SSL session. VERIFY_CRL - Verify CRL lists when accepting client certificates VERIFY_CRL_ALL - Verify CRL lists for all certificates in the client certificate chain
sslcontext=	SSL session ID context identifier.

Example(s)
https_port 443 cert=/usr/local/ssl/cert.pem key=/usr/local/ssl/key.pem defaultsite=visolve.com

TAG NAME: ssl_unclean_shutdown

Description	Used to handle bugs in browsers which does not fully support SSL
Build Option	--enable-ssl
Usage	ssl_unclean_shutdown on\|off
Default	ssl_unclean_shutdown off

Synopsis
Some browsers like MSIE will indicate bugs during SSL shutdown. During such conditions, making this tag "on" will handle those bugs. Arguments

on/off

Enable or disable ssl_unclean_shutdown

TAG NAME	ssl_engine
Description	Defines Hardware SSL acceleration which is to be used
Build Option	--enable-ssl
Usage	ssl_engine engine
Default	none

Synopsis
The openssl engine to use. For Example(s), you will need to set this if you would like to use hardware SSL acceleration. Arguments

engine

Hardware SSL accelerator to be used

TAG NAME: sslproxy_client_certificate

Description	Used to define clients SSL certificate for proxying https:// URLs
Build Option	--enable-ssl
Usage	sslproxy_client_certificate path/certificatefile
Default	none

Synopsis
When proxying https:// URLs requests, this tag defines the clients SSL certificate path and the certificate file to be used for verification. Arguments

path/certificatefile

Path and the file that holds the clients SSL certificate

Example(s)
sslproxy_client_certificate /usr/local/ssl/cert.pem

TAG NAME: sslproxy_client_key

Description	Defines clients SSL certificate key for proxying https:// URLs
Build Option	--enable-ssl
Usage	sslproxy_client_key path/key.pem
Default	none

Synopsis
When Squid is used as a proxy server for https:// URLs requests, this tag defines the clients SSL certificate key's path and the file that holds the key. Arguments

path/key.pem

Path and the file that contains the clients certificate key

Example(s)
sslproxy_client_key /usr/local/ssl/certkey.pem

TAG NAME: sslproxy_version

Description	Defines the SSL version level to be used when proxying https:// URLs
Build Option	--enable-ssl
Usage	sslproxy_version version
Default	sslproxy_version 1

Synopsis
When SSL certificate is used for proxying https:// URLs, this tag can be used to define the SSL version level that will be used for handling encrypted
connections. Arguments

version

SSL version level

Example(s)
sslproxy_version 3

TAG NAME: sslproxy_options

Description	This defines the SSL engine options to be used when proxying https:// URLs
Build Option	--enable-ssl
Usage	options option
Default	none

Synopsis
When proxying https:// URLs, this tag is used to specify various SSL options. Arguments

option

SSL options

Example(s)
sslproxy_options NO_SSLv2

TAG NAME: sslproxy_cipher

Description	SSL cipher list to be used when proxying https:// URLs
Build Option	--enable-ssl
Usage	sslproxy_cipher cipher
Default	none

Synopsis
This tag sets the ciphers on which SSL will decide during the negotiation phase of the SSL connection when proxying https:// URLs

Arguments

cipher

SSL proxy cipher to be used

TAG NAME: sslproxy_cafile

Description	Defines the file that contains CA certificate
Build Option	--enable-ssl
Usage	sslproxy_cafile filename
Default	none

Synopsis
This tag defines the file that contains CA certificate to be used for verifying server certificates when Squid is used as a proxy server for https://URLs. Arguments

filename

File that contains CA certificate

Example(s)
sslproxy_cafile /usr/local/ca1.pem

TAG NAME: sslproxy_capath

Description	Defines the directory for the file containing CA certificate
Build Option	--enable-ssl
Usage	sslproxy_capath path
Default	none

Synopsis
While proxying https:// URLs, this tag defines the path where the CA certificate file to be used when verifying server certificates is located. Arguments

path

Path where CA certificate file is located

Example(s)
sslproxy_capath /usr/local/

TAG NAME: sslproxy_flags

Description	Specifies the way how SSL should act while proxying https:// URLs
Build Option	--enable-ssl
Usage	sslproxy_flags flags
Default	none

Synopsis
When Squid is used as a proxy server for https://URLs, this tag is used to defines the nature of SSL's behaviour. Arguments

Flags	Meaning
DONT_VERIFY_PEER	Accept certificates even if they fail to verify
NO_DEFAULT_CA	Don't use the default CA list built in to OpenSSL
NO_SESSION_REUSE	Don't allow for session reuse. Each connection will result in a new SSL session.
VERIFY_CRL	Verify CRL lists when accepting client certificates
VERIFY_CRL_ALL	Verify CRL lists for all certificates in the client certificate chain

Example(s)
sslproxy_flags NO_DEFAULT_CA

TAG NAME: sslpassword_program

Description	Specify a program used for entering SSL key passphrases when using encrypted SSL certificate keys.
Build Option	--enable-ssl
Usage	sslpassword_program program
Default	none

Synopsis Specify a program used for entering SSL key passphrases when using encrypted SSL certificate keys. If not specified keys must either be unencrypted, or Squid started with the -N option to allow it to query interactively for the passphrase. Arguments

program

Program used for entering the SSL key passphrase

Example(s)
sslpassword_program /usr/local/program

TAG NAME: icp_port

Description	Port number through which Squid sends and receives ICP queries
Build Option	Default
Usage	icp_port portnumber
Default	icp_port 0

Synopsis
Defines the port for ICP packets to be sent and received from neighbour caches. Arguments

portnumber

Port to which Squid will bind the socket

Example(s)
icp_port 3030

TAG NAME: htcp_port

Description	Port number through which Squid sends and receives HTCP queries
Build Option	--enable-htcp
Usage	htcp_port portnumber
Default	htcp_port 4827

Synopsis This tag defines the port address through which HTCP packets will be sent and received from neighbour caches.

Arguments

portnumber

Port to which Squid will bind the socket

Example(s)
htcp_port 2134

TAG NAME: mcast_groups

Description	Defines list of multicast groups which your server should join to receive multicasted ICP queries
Build Option	Default
Usage	mcast_groups ip_address
Default	none

Synopsis
Multicast is essentially the ability to send one IP packet to multiple receivers. Your server will join to the multicat groups defined by the IP Addresses.

This option is to be set only if you want to RECEIVE multicast queries.

ICP replies are always sent via unicast, so this option does not affect whether or not you will receive replies from multicast group members.

Arguments

ip_address

ip_address of the multicast groups to join

Example(s)
mcast_groups 239.128.16.128 224.0.1.20

TAG NAME	udp_incoming_address, udp_outgoing_address
Description	Defines the address for sending and receiving ICP packets
Build Option	Default
Usage	udp_incoming_address ip_address udp_outgoing_address ip_address
Default	udp_incoming_address 0.0.0.0 udp_outgoing_address 255.255.255.255

Synopsis
These tags defines the interface through which ICP packets are sent and received. The default behavior is to not bind to any specific address.

A udp_incoming_address value of 0.0.0.0 indicates that Squid should listen for UDP messages on all available interfaces. If udp_outgoing_address is set to 255.255.255.255 (the default) then it will use the same socket as udp_incoming_address. Only change this if you want to have ICP queries sent using another address than where this Squid listens for ICP queries from other caches. Arguments

ip_address

ip_address to which Squid binds the ICP socket

Note: udp_incoming_address and udp_outgoing_address cannot have the same value since they both use port 3130.

Example(s)
udp_incoming_address 192.168.1.35
udp_outgoing_address 192.168.150.6