squid-cache.org

# Squid normally listens to port 3128
http_port 3128

	Usage:	port [mode] [options]
		hostname:port [mode] [options]
		1.2.3.4:port [mode] [options]

	The socket addresses where Squid will listen for HTTP client
	requests.  You may specify multiple socket addresses.
	There are three forms: port alone, hostname with port, and
	IP address with port.  If you specify a hostname or IP
	address, Squid binds the socket to that specific
	address. Most likely, you do not need to bind to a specific
	address, so you can use the port number alone.

	If you are running Squid in accelerator mode, you
	probably want to listen on port 80 also, or instead.

	The -a command line option may be used to specify additional
	port(s) where Squid listens for proxy request. Such ports will
	be plain proxy ports with no options.

	You may specify multiple socket addresses on multiple lines.

	Modes:

	   intercept	Support for IP-Layer interception of
			outgoing requests without browser settings.
			NP: disables authentication and IPv6 on the port.

	   tproxy	Support Linux TPROXY for spoofing outgoing
			connections using the client IP address.
			NP: disables authentication and maybe IPv6 on the port.

	   accel	Accelerator / reverse proxy mode

	   ssl-bump	For each CONNECT request allowed by ssl_bump ACLs,
			establish secure connection with the client and with
			the server, decrypt HTTPS messages as they pass through
			Squid, and treat them as unencrypted HTTP messages,
			becoming the man-in-the-middle.

			The ssl_bump option is required to fully enable
			bumping of CONNECT requests.

	Omitting the mode flag causes default forward proxy mode to be used.


	Accelerator Mode Options:

	   defaultsite=domainname
			What to use for the Host: header if it is not present
			in a request. Determines what site (not origin server)
			accelerators should consider the default.

	   no-vhost	Disable using HTTP/1.1 Host header for virtual domain support.

	   protocol=	Protocol to reconstruct accelerated requests with.
			Defaults to http for http_port and https for
			https_port

	   vport	Virtual host port support. Using the http_port number
			instead of the port passed on Host: headers.

	   vport=NN	Virtual host port support. Using the specified port
			number instead of the port passed on Host: headers.

	   act-as-origin
			Act as if this Squid is the origin server.
			This currently means generate new Date: and Expires:
			headers on HIT instead of adding Age:.

	   ignore-cc	Ignore request Cache-Control headers.

			WARNING: This option violates HTTP specifications if
			used in non-accelerator setups.

	   allow-direct	Allow direct forwarding in accelerator mode. Normally
			accelerated requests are denied direct forwarding as if
			never_direct was used.

			WARNING: this option opens accelerator mode to security
			vulnerabilities usually only affecting in interception
			mode. Make sure to protect forwarding with suitable
			http_access rules when using this.


	SSL Bump Mode Options:
	    In addition to these options ssl-bump requires TLS/SSL options.

	   generate-host-certificates[=<on|off>]
			Dynamically create SSL server certificates for the
			destination hosts of bumped CONNECT requests.When 
			enabled, the cert and key options are used to sign
			generated certificates. Otherwise generated
			certificate will be selfsigned.
			If there is a CA certificate lifetime of the generated 
			certificate equals lifetime of the CA certificate. If
			generated certificate is selfsigned lifetime is three 
			years.
			This option is enabled by default when ssl-bump is used.
			See the ssl-bump option above for more information.
			
	   dynamic_cert_mem_cache_size=SIZE
			Approximate total RAM size spent on cached generated
			certificates. If set to zero, caching is disabled. The
			default value is 4MB.

	TLS / SSL Options:

	   cert=	Path to SSL certificate (PEM format).

	   key=		Path to SSL private key file (PEM format)
			if not specified, the certificate file is
			assumed to be a combined certificate and
			key file.

	   version=	The version of SSL/TLS supported
			    1	automatic (default)
			    2	SSLv2 only
			    3	SSLv3 only
			    4	TLSv1.0 only
			    5	TLSv1.1 only
			    6	TLSv1.2 only

	   cipher=	Colon separated list of supported ciphers.
			NOTE: some ciphers such as EDH ciphers depend on
			      additional settings. If those settings are
			      omitted the ciphers may be silently ignored
			      by the OpenSSL library.

	   options=	Various SSL implementation options. The most important
			being:
			    NO_SSLv2    Disallow the use of SSLv2
			    NO_SSLv3    Disallow the use of SSLv3
			    NO_TLSv1    Disallow the use of TLSv1.0
			    NO_TLSv1_1  Disallow the use of TLSv1.1
			    NO_TLSv1_2  Disallow the use of TLSv1.2
			    SINGLE_DH_USE Always create a new key when using
				      temporary/ephemeral DH key exchanges
			    ALL       Enable various bug workarounds
				      suggested as "harmless" by OpenSSL
				      Be warned that this reduces SSL/TLS
				      strength to some attacks.
			See OpenSSL SSL_CTX_set_options documentation for a
			complete list of options.

	   clientca=	File containing the list of CAs to use when
			requesting a client certificate.

	   cafile=	File containing additional CA certificates to
			use when verifying client certificates. If unset
			clientca will be used.

	   capath=	Directory containing additional CA certificates
			and CRL lists to use when verifying client certificates.

	   crlfile=	File of additional CRL lists to use when verifying
			the client certificate, in addition to CRLs stored in
			the capath. Implies VERIFY_CRL flag below.

	   dhparams=	File containing DH parameters for temporary/ephemeral
			DH key exchanges. See OpenSSL documentation for details
			on how to create this file.
			WARNING: EDH ciphers will be silently disabled if this
				 option is not set.

	   sslflags=	Various flags modifying the use of SSL:
			    DELAYED_AUTH
				Don't request client certificates
				immediately, but wait until acl processing
				requires a certificate (not yet implemented).
			    NO_DEFAULT_CA
				Don't use the default CA lists built in
				to OpenSSL.
			    NO_SESSION_REUSE
				Don't allow for session reuse. Each connection
				will result in a new SSL session.
			    VERIFY_CRL
				Verify CRL lists when accepting client
				certificates.
			    VERIFY_CRL_ALL
				Verify CRL lists for all certificates in the
				client certificate chain.

	   sslcontext=	SSL session ID context identifier.

	Other Options:

	   connection-auth[=on|off]
	                use connection-auth=off to tell Squid to prevent 
	                forwarding Microsoft connection oriented authentication
			(NTLM, Negotiate and Kerberos)

	   disable-pmtu-discovery=
			Control Path-MTU discovery usage:
			    off		lets OS decide on what to do (default).
			    transparent	disable PMTU discovery when transparent
					support is enabled.
			    always	disable always PMTU discovery.

			In many setups of transparently intercepting proxies
			Path-MTU discovery can not work on traffic towards the
			clients. This is the case when the intercepting device
			does not fully track connections and fails to forward
			ICMP must fragment messages to the cache server. If you
			have such setup and experience that certain clients
			sporadically hang or never complete requests set
			disable-pmtu-discovery option to 'transparent'.

	   name=	Specifies a internal name for the port. Defaults to
			the port specification (port or addr:port)

	   tcpkeepalive[=idle,interval,timeout]
			Enable TCP keepalive probes of idle connections.
			In seconds; idle is the initial time before TCP starts
			probing the connection, interval how often to probe, and
			timeout the time before giving up.

	If you run Squid on a dual-homed machine with an internal
	and an external interface we recommend you to specify the
	internal address:port in http_port. This way Squid will only be
	visible on the internal address.