squid.conf 具體參數

squid.conf

配置文檔

[配置文檔]  http://www.squid-cache.org/Doc/config/ 

 Values with byte units
​
    Squid accepts size units on some size related directives. All
    such directives are documented with a default value displaying
    a unit.
​
    Units accepted by Squid are:
        bytes - byte
        KB - Kilobyte (1024 bytes)
        MB - Megabyte
        GB - Gigabyte

疑問

• 什麼是Virtual host port？

 

 

相關閱讀

https://www.visolve.com/squid/squid30/

https://www.visolve.com/squid/squid30/network.html

 

SMP 相關配置選項

http://www.squid-cache.org/Versions/v4/cfgman/

workers

默認SMP支持是被禁用的。、

要分叉和維護的主要Squid流程或“工人”的數量。 0： “無守護程序”模式，如啓動“squid-N ...” 1： “無SMP”模式，啓動一個squid主進程守護進程（默認） N：開啓n個squid進程守護程序（即，SMP模式）

在在SMP模式下，每個工作程序幾乎完成單個Squid守護程序的所有工作（例如，偵聽http_port並轉發HTTP請求）。

cpu_affinity_map

默認值是讓操作系統決定。

Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...

設置Squid進程與CPU內核之間的1：1映射。例如， cpu_affinity_map process_numbers = 1,2,3,4 cores= 1,3,5,7

僅影響進程1到4，並將它們放置在從內核＃1開始的前四個偶數內核中。

CPU核心從1開始編號。需要支持sched_getaffinity（2）和sched_setaffinity（2）系統調用

sched_getafficnity和sched_setaffinity

[sched_getafficnity和sched_setaffinity]  https://blog.csdn.net/i_am_jojo/article/details/7592186 

share_memory_locking

http://www.squid-cache.org/Versions/v4/cfgman/shared_memory_locking.html

默認：shared_memory_locking off

當Squid啓動時，將共享內存“鎖定”到RAM中，確保所有需要的共享內存是可用的。另一種選擇是更快的啓動時間，然後稍慢一些性能，如果在運行期間實際沒有足夠的RAM運行時，squid會崩潰。

SMP Squid使用許多共享內存段。這些段會使用mmap系統調用使其進入Squid的相應的內存空間。在squid的啓動過程中，不管系統是否擁有足夠的RAM內存，mmap系統調用始終運行/繼承。通常，Squid無法判斷內核應用此“樂觀”內存分配策略（但流行的現代內核通常使用它）。

以後，如果Squid嘗試實際訪問映射的內存超出內核願意分配的區域，“樂觀”內核只是通過SIGBUS信號殺死了Squid kid。當前由內核強制執行的某些內存限制鮮爲人知的：我們不知道如何檢測和檢查它們。這個選項可確保映射的內存可用。

此選項可能會對性能產生積極影響：鎖定啓動時的內存避免了運行時分頁I / O。分頁使魷魚慢下來。

鎖定內存可能需要足夠大的RLIMIT_MEMLOCK OS限制，CAP_IPC_LOCK功能或同等功能。

mmap

[mmap]  https://blog.csdn.net/windgs_yf/article/details/81146887 

• RLIMIT_MEMLOCK 進程中使用mlock鎖定內存的最大尺寸

https://blog.csdn.net/nealgavin/article/details/21884489

• CAP_IPC_LOCK 允許鎖定共享內存片段

https://blog.csdn.net/wangyunqian6/article/details/51888736

hopeless_kid_revival_delay

默認值： hopeless_kid_revival_delay 1 hour

通常，在一個子進程死亡，squid立即重新啓動這個子進程。在該配置指定的時間內，一個子進程經歷頻繁的死亡就會被標記爲hopeless，hopeless的子進程不會自動重啓。

當前，該配置不支持0值，因爲他們會導致錯誤的配置SMP squid實例永久運行，從而無休止的重啓每個垂死的子進程。有效的使hopeless的子進程重啓，給這個延遲選項設置一個巨大的值（例如1年）。

重新配置會清除所有hopeless子進程的命名designations，允許手動重啓hopeless子進程。

hopeless 子進程在多久之後重啓。

ACCESS CONTROLS

acl

 

http_access

 

影響鄰居選擇算法的選項

cache_peer

http://www.squid-cache.org/Versions/v4/cfgman/cache_peer.html

cache_peer hostname type http-port icp-port [options]

For example,
    
    #                                        proxy  icp
    #          hostname             type     port   port  options
    #          -------------------- -------- ----- -----  -----------
    cache_peer parent.foo.net       parent    3128  3130  default
    cache_peer sib1.foo.net         sibling   3128  3130  proxy-only
    cache_peer sib2.foo.net         sibling   3128  3130  proxy-only
    cache_peer example.com          parent    80       0  default
    cache_peer cdn.example.com      sibling   3128     0  
    
          type: either 'parent', 'sibling', or 'multicast'.
    
    proxy-port: The port number where the peer accept HTTP requests.
            For other Squid proxies this is usually 3128
            For web servers this is usually 80
    
      icp-port: Used for querying neighbor caches about objects.
            Set to 0 if the peer does not support ICP or HTCP.
            See ICP and HTCP options below for additional details.

==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
    
    originserver    Causes this parent to be contacted as an origin server.
            Meant to be used in accelerator setups when the peer
            is a web server.

==== PEER SELECTION METHODS ====
    
    The default peer selection method is ICP, with the first responding peer
    being used as source. These options can be used for better load balancing.
    
    
    default     This is a parent cache which can be used as a "last-resort"
            if a peer cannot be located by any of the peer-selection methods.
            If specified more than once, only the first is used.

==== ICP OPTIONS ====
    
    You MUST also set icp_port and icp_access explicitly when using these options.
    The defaults will prevent peer traffic using ICP.
    
    
    no-query    Disable ICP queries to this neighbor.

ICP HTCP

通過icp協議相互溝通

 

cache_peer_access

使用cache_peer的約束

Usage:
        cache_peer_access peer-name allow|deny [!]aclname ...

http://blog.chinaunix.net/uid-8065935-id-2034242.html

forward_max_tries

默認值： forward_max_tries 25

限制轉發請求的嘗試次數。

內存緩存選項

cache_mem

http://www.squid-cache.org/Versions/v4/cfgman/cache_mem.html

Default Value: cache_mem 256 MB

IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.

memory_cache_shared

Default Value: "on" where supported if doing memory caching with multiple SMP workers.

Controls whether the memory cache is shared among SMP workers.
​
    The shared memory cache is meant to occupy cache_mem bytes and replace
    the non-shared memory cache, although some entities may still be
    cached locally by workers for now (e.g., internal and in-transit
    objects may be served from a local memory cache even if shared memory
    caching is enabled).
​
    By default, the memory cache is shared if and only if all of the
    following conditions are satisfied: Squid runs in SMP mode with
    multiple workers, cache_mem is positive, and Squid environment
    supports required IPC primitives (e.g., POSIX shared memory segments
    and GCC-style atomic operations).
​
    To avoid blocking locks, shared memory uses opportunistic algorithms
    that do not guarantee that every cachable entity that could have been
    shared among SMP workers will actually be shared.

 

磁盤緩存選項

cache_dir

http://www.squid-cache.org/Versions/v4/cfgman/cache_dir.html

The Rock Store type is a database-style storage. All cached entries are stored in a "database" file, using fixed-size slots.A single entry occupies one or more slots.

 

====  The rock store type  ====
​
    Usage:
        cache_dir rock Directory-Name Mbytes [options]
​
    The Rock Store type is a database-style storage. All cached
    entries are stored in a "database" file, using fixed-size slots.
    A single entry occupies one or more slots.
​
    If possible, Squid using Rock Store creates a dedicated kid
    process called "disker" to avoid blocking Squid worker(s) on disk
    I/O. One disker kid is created for each rock cache_dir.  Diskers
    are created only when Squid, running in daemon mode, has support
    for the IpcIo disk I/O module.
​
    swap-timeout=msec: Squid will not start writing a miss to or
    reading a hit from disk if it estimates that the swap operation
    will take more than the specified number of milliseconds. By
    default and when set to zero, disables the disk I/O time limit
    enforcement. Ignored when using blocking I/O module because
    blocking synchronous I/O does not allow Squid to estimate the
    expected swap wait time.
​
    max-swap-rate=swaps/sec: Artificially limits disk access using
    the specified I/O rate limit. Swap out requests that
    would cause the average I/O rate to exceed the limit are
    delayed. Individual swap in requests (i.e., hits or reads) are
    not delayed, but they do contribute to measured swap rate and
    since they are placed in the same FIFO queue as swap out
    requests, they may wait longer if max-swap-rate is smaller.
    This is necessary on file systems that buffer "too
    many" writes and then start blocking Squid and other processes
    while committing those writes to disk.  Usually used together
    with swap-timeout to avoid excessive delays and queue overflows
    when disk demand exceeds available disk "bandwidth". By default
    and when set to zero, disables the disk I/O rate limit
    enforcement. Currently supported by IpcIo module only.
​
    slot-size=bytes: The size of a database "record" used for
    storing cached responses. A cached response occupies at least
    one slot and all database I/O is done using individual slots so
    increasing this parameter leads to more disk space waste while
    decreasing it leads to more disk I/O overheads. Should be a
    multiple of your operating system I/O page size. Defaults to
    16KBytes. A housekeeping header is stored with each slot and
    smaller slot-sizes will be rejected. The header is smaller than
    100 bytes.
​
​
    ==== COMMON OPTIONS ====
​
    no-store    no new objects should be stored to this cache_dir.
​
    min-size=n  the minimum object size in bytes this cache_dir
            will accept.  It's used to restrict a cache_dir
            to only store large objects (e.g. AUFS) while
            other stores are optimized for smaller objects
            (e.g. Rock).
            Defaults to 0.
​
    max-size=n  the maximum object size in bytes this cache_dir
            supports.
            The value in maximum_object_size directive sets
            the default unless more specific details are
            available (ie a small store capacity).
​
    Note: To make optimal use of the max-size limits you should order
    the cache_dir lines with the smallest max-size value first.

 

 

NETWORK OPTIONS

http_port

[http_port配置參數詳細說明]  http://www.squid-cache.org/Doc/config/http_port/ 

 Values with byte units
​
    Squid accepts size units on some size related directives. All
    such directives are documented with a default value displaying
    a unit.
​
    Units accepted by Squid are:
        bytes - byte
        KB - Kilobyte (1024 bytes)
        MB - Megabyte
        GB - Gigabyte

# Squid normally listens to port 3128
http_port 3128

Usage:  port [mode] [options]
        hostname:port [mode] [options]
        1.2.3.4:port [mode] [options]

• socket address

套接字的地址，squid將會在這個地址監聽客戶端的HTTP請求。你通常會指定多個套接字地址。有三種使用方式，如上Usage。

或許，你不需要監聽一個具體的地址，你可以使用單獨使用端口號。

如果你將Squid運用於加速器模式，你可能想要監聽在80端口，或者其他端口。

-a 命令行選項用來指定額外的端口，squid用來接收代理請求。這樣的端口將是沒有選項的普通代理端口。Such ports will be plain proxy ports with no options

你可以指定多個套接字地址在多行中。

模式[mode]

• intercept

在該端口支持IP層NAT攔截傳輸。

NP: disables authentication on the port.

在該端口禁用身份驗證。

• tproxy

Support Linux TPROXY (or BSD divert-to) with spoofing of outgoing connections using the client IP address.

支持攔截Linux TPROXY 使用客戶端IP進行外發請求欺騙。

• accel

加速器/反向代理模式

• ssl-bump

對於每個被ssl_bump ACLs允許的CONNECT請求，在客戶端和服務器端建立安全的連接，加密通過squid的HTTPS信息，將他們以未加密的HTTP信息對待，作爲一箇中間人的作用。

必須使用ssl_bump選項，才能完全啓用CONNECT請求。

Omitting the mode flag causes default forward proxy mode to be used.

省略mode模式，將會默認使用正向代理的模式運行。

 

accel模式選項 Accelerator[options]

• defaultsize=domainname

 

• no-vhost

禁止使用HTTP/1.1主機標頭（host header)來支持虛擬域。

• protocol=

重建協議加速模式和攔截模式的請求協議爲指定的協議。默認的是HTTP/1.1對應着http_port，HTTPS/1.1對應着https_port。

當一個不被支持的值配置給了squid，squid將會產生一個FATAL error致命的錯誤。

值可以是：HTTP或者HTTP/1.1，HTTPS或者HTTPS/1.1

• vport

虛擬主機端口支持。使用http_port number的形式代替 the port passed on Host: headers

• vport=NN

虛擬主機端口支持。指定具體的端口號代替 the port passed on Host: headers

• act-as-origin

運作起來squid好像是一個原始服務器一樣，當前，這意味着在HIT上生成新的Date：和Expires：標頭，而不是添加Age:。

• ignore-cc

忽略請求緩存控制的請求頭headers。

提醒：這個選項違反了HTTP規定如果使用在非加速器模式下。

• allow-direct

允許當前的轉發運行在加速器模式下。

允許在加速器模式下直接轉發。通常，加速請求被拒絕直接轉發。就像使用了never_direct選項一樣。

警告：這個選項開啓加速器模式導致安全漏洞通常受攔截模式的影響。確保使用的路由被適當的http_access配置。

SSL Bump 模式選項[options]

• generate-host-certificates[=<on|off>]

• dynamic_cert_mem_cache_size=SIZE

 

If you run Squid on a dual-homed machine with an internal
    and an external interface we recommend you to specify the
    internal address:port in http_port. This way Squid will only be
    visible on the internal address.

 

###

 

其他信息

分析squid

https://wiki.squid-cache.org/SquidFaq/SquidProfiling

反向代理

https://wiki.squid-cache.org/SquidFaq/ReverseProxy