squid.conf 具体参数

squid.conf

配置文档

[配置文档]  http://www.squid-cache.org/Doc/config/ 

 Values with byte units
​
    Squid accepts size units on some size related directives. All
    such directives are documented with a default value displaying
    a unit.
​
    Units accepted by Squid are:
        bytes - byte
        KB - Kilobyte (1024 bytes)
        MB - Megabyte
        GB - Gigabyte

疑问

• 什么是Virtual host port？

 

 

相关阅读

https://www.visolve.com/squid/squid30/

https://www.visolve.com/squid/squid30/network.html

 

SMP 相关配置选项

http://www.squid-cache.org/Versions/v4/cfgman/

workers

默认SMP支持是被禁用的。、

要分叉和维护的主要Squid流程或“工人”的数量。 0： “无守护程序”模式，如启动“squid-N ...” 1： “无SMP”模式，启动一个squid主进程守护进程（默认） N：开启n个squid进程守护程序（即，SMP模式）

在在SMP模式下，每个工作程序几乎完成单个Squid守护程序的所有工作（例如，侦听http_port并转发HTTP请求）。

cpu_affinity_map

默认值是让操作系统决定。

Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,...

设置Squid进程与CPU内核之间的1：1映射。例如， cpu_affinity_map process_numbers = 1,2,3,4 cores= 1,3,5,7

仅影响进程1到4，并将它们放置在从内核＃1开始的前四个偶数内核中。

CPU核心从1开始编号。需要支持sched_getaffinity（2）和sched_setaffinity（2）系统调用

sched_getafficnity和sched_setaffinity

[sched_getafficnity和sched_setaffinity]  https://blog.csdn.net/i_am_jojo/article/details/7592186 

share_memory_locking

http://www.squid-cache.org/Versions/v4/cfgman/shared_memory_locking.html

默认：shared_memory_locking off

当Squid启动时，将共享内存“锁定”到RAM中，确保所有需要的共享内存是可用的。另一种选择是更快的启动时间，然后稍慢一些性能，如果在运行期间实际没有足够的RAM运行时，squid会崩溃。

SMP Squid使用许多共享内存段。这些段会使用mmap系统调用使其进入Squid的相应的内存空间。在squid的启动过程中，不管系统是否拥有足够的RAM内存，mmap系统调用始终运行/继承。通常，Squid无法判断内核应用此“乐观”内存分配策略（但流行的现代内核通常使用它）。

以后，如果Squid尝试实际访问映射的内存超出内核愿意分配的区域，“乐观”内核只是通过SIGBUS信号杀死了Squid kid。当前由内核强制执行的某些内存限制鲜为人知的：我们不知道如何检测和检查它们。这个选项可确保映射的内存可用。

此选项可能会对性能产生积极影响：锁定启动时的内存避免了运行时分页I / O。分页使鱿鱼慢下来。

锁定内存可能需要足够大的RLIMIT_MEMLOCK OS限制，CAP_IPC_LOCK功能或同等功能。

mmap

[mmap]  https://blog.csdn.net/windgs_yf/article/details/81146887 

• RLIMIT_MEMLOCK 进程中使用mlock锁定内存的最大尺寸

https://blog.csdn.net/nealgavin/article/details/21884489

• CAP_IPC_LOCK 允许锁定共享内存片段

https://blog.csdn.net/wangyunqian6/article/details/51888736

hopeless_kid_revival_delay

默认值： hopeless_kid_revival_delay 1 hour

通常，在一个子进程死亡，squid立即重新启动这个子进程。在该配置指定的时间内，一个子进程经历频繁的死亡就会被标记为hopeless，hopeless的子进程不会自动重启。

当前，该配置不支持0值，因为他们会导致错误的配置SMP squid实例永久运行，从而无休止的重启每个垂死的子进程。有效的使hopeless的子进程重启，给这个延迟选项设置一个巨大的值（例如1年）。

重新配置会清除所有hopeless子进程的命名designations，允许手动重启hopeless子进程。

hopeless 子进程在多久之后重启。

ACCESS CONTROLS

acl

 

http_access

 

影响邻居选择算法的选项

cache_peer

http://www.squid-cache.org/Versions/v4/cfgman/cache_peer.html

cache_peer hostname type http-port icp-port [options]

For example,
    
    #                                        proxy  icp
    #          hostname             type     port   port  options
    #          -------------------- -------- ----- -----  -----------
    cache_peer parent.foo.net       parent    3128  3130  default
    cache_peer sib1.foo.net         sibling   3128  3130  proxy-only
    cache_peer sib2.foo.net         sibling   3128  3130  proxy-only
    cache_peer example.com          parent    80       0  default
    cache_peer cdn.example.com      sibling   3128     0  
    
          type: either 'parent', 'sibling', or 'multicast'.
    
    proxy-port: The port number where the peer accept HTTP requests.
            For other Squid proxies this is usually 3128
            For web servers this is usually 80
    
      icp-port: Used for querying neighbor caches about objects.
            Set to 0 if the peer does not support ICP or HTCP.
            See ICP and HTCP options below for additional details.

==== ACCELERATOR / REVERSE-PROXY OPTIONS ====
    
    originserver    Causes this parent to be contacted as an origin server.
            Meant to be used in accelerator setups when the peer
            is a web server.

==== PEER SELECTION METHODS ====
    
    The default peer selection method is ICP, with the first responding peer
    being used as source. These options can be used for better load balancing.
    
    
    default     This is a parent cache which can be used as a "last-resort"
            if a peer cannot be located by any of the peer-selection methods.
            If specified more than once, only the first is used.

==== ICP OPTIONS ====
    
    You MUST also set icp_port and icp_access explicitly when using these options.
    The defaults will prevent peer traffic using ICP.
    
    
    no-query    Disable ICP queries to this neighbor.

ICP HTCP

通过icp协议相互沟通

 

cache_peer_access

使用cache_peer的约束

Usage:
        cache_peer_access peer-name allow|deny [!]aclname ...

http://blog.chinaunix.net/uid-8065935-id-2034242.html

forward_max_tries

默认值： forward_max_tries 25

限制转发请求的尝试次数。

内存缓存选项

cache_mem

http://www.squid-cache.org/Versions/v4/cfgman/cache_mem.html

Default Value: cache_mem 256 MB

IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.

memory_cache_shared

Default Value: "on" where supported if doing memory caching with multiple SMP workers.

Controls whether the memory cache is shared among SMP workers.
​
    The shared memory cache is meant to occupy cache_mem bytes and replace
    the non-shared memory cache, although some entities may still be
    cached locally by workers for now (e.g., internal and in-transit
    objects may be served from a local memory cache even if shared memory
    caching is enabled).
​
    By default, the memory cache is shared if and only if all of the
    following conditions are satisfied: Squid runs in SMP mode with
    multiple workers, cache_mem is positive, and Squid environment
    supports required IPC primitives (e.g., POSIX shared memory segments
    and GCC-style atomic operations).
​
    To avoid blocking locks, shared memory uses opportunistic algorithms
    that do not guarantee that every cachable entity that could have been
    shared among SMP workers will actually be shared.

 

磁盘缓存选项

cache_dir

http://www.squid-cache.org/Versions/v4/cfgman/cache_dir.html

The Rock Store type is a database-style storage. All cached entries are stored in a "database" file, using fixed-size slots.A single entry occupies one or more slots.

 

====  The rock store type  ====
​
    Usage:
        cache_dir rock Directory-Name Mbytes [options]
​
    The Rock Store type is a database-style storage. All cached
    entries are stored in a "database" file, using fixed-size slots.
    A single entry occupies one or more slots.
​
    If possible, Squid using Rock Store creates a dedicated kid
    process called "disker" to avoid blocking Squid worker(s) on disk
    I/O. One disker kid is created for each rock cache_dir.  Diskers
    are created only when Squid, running in daemon mode, has support
    for the IpcIo disk I/O module.
​
    swap-timeout=msec: Squid will not start writing a miss to or
    reading a hit from disk if it estimates that the swap operation
    will take more than the specified number of milliseconds. By
    default and when set to zero, disables the disk I/O time limit
    enforcement. Ignored when using blocking I/O module because
    blocking synchronous I/O does not allow Squid to estimate the
    expected swap wait time.
​
    max-swap-rate=swaps/sec: Artificially limits disk access using
    the specified I/O rate limit. Swap out requests that
    would cause the average I/O rate to exceed the limit are
    delayed. Individual swap in requests (i.e., hits or reads) are
    not delayed, but they do contribute to measured swap rate and
    since they are placed in the same FIFO queue as swap out
    requests, they may wait longer if max-swap-rate is smaller.
    This is necessary on file systems that buffer "too
    many" writes and then start blocking Squid and other processes
    while committing those writes to disk.  Usually used together
    with swap-timeout to avoid excessive delays and queue overflows
    when disk demand exceeds available disk "bandwidth". By default
    and when set to zero, disables the disk I/O rate limit
    enforcement. Currently supported by IpcIo module only.
​
    slot-size=bytes: The size of a database "record" used for
    storing cached responses. A cached response occupies at least
    one slot and all database I/O is done using individual slots so
    increasing this parameter leads to more disk space waste while
    decreasing it leads to more disk I/O overheads. Should be a
    multiple of your operating system I/O page size. Defaults to
    16KBytes. A housekeeping header is stored with each slot and
    smaller slot-sizes will be rejected. The header is smaller than
    100 bytes.
​
​
    ==== COMMON OPTIONS ====
​
    no-store    no new objects should be stored to this cache_dir.
​
    min-size=n  the minimum object size in bytes this cache_dir
            will accept.  It's used to restrict a cache_dir
            to only store large objects (e.g. AUFS) while
            other stores are optimized for smaller objects
            (e.g. Rock).
            Defaults to 0.
​
    max-size=n  the maximum object size in bytes this cache_dir
            supports.
            The value in maximum_object_size directive sets
            the default unless more specific details are
            available (ie a small store capacity).
​
    Note: To make optimal use of the max-size limits you should order
    the cache_dir lines with the smallest max-size value first.

 

 

NETWORK OPTIONS

http_port

[http_port配置参数详细说明]  http://www.squid-cache.org/Doc/config/http_port/ 

 Values with byte units
​
    Squid accepts size units on some size related directives. All
    such directives are documented with a default value displaying
    a unit.
​
    Units accepted by Squid are:
        bytes - byte
        KB - Kilobyte (1024 bytes)
        MB - Megabyte
        GB - Gigabyte

# Squid normally listens to port 3128
http_port 3128

Usage:  port [mode] [options]
        hostname:port [mode] [options]
        1.2.3.4:port [mode] [options]

• socket address

套接字的地址，squid将会在这个地址监听客户端的HTTP请求。你通常会指定多个套接字地址。有三种使用方式，如上Usage。

或许，你不需要监听一个具体的地址，你可以使用单独使用端口号。

如果你将Squid运用于加速器模式，你可能想要监听在80端口，或者其他端口。

-a 命令行选项用来指定额外的端口，squid用来接收代理请求。这样的端口将是没有选项的普通代理端口。Such ports will be plain proxy ports with no options

你可以指定多个套接字地址在多行中。

模式[mode]

• intercept

在该端口支持IP层NAT拦截传输。

NP: disables authentication on the port.

在该端口禁用身份验证。

• tproxy

Support Linux TPROXY (or BSD divert-to) with spoofing of outgoing connections using the client IP address.

支持拦截Linux TPROXY 使用客户端IP进行外发请求欺骗。

• accel

加速器/反向代理模式

• ssl-bump

对于每个被ssl_bump ACLs允许的CONNECT请求，在客户端和服务器端建立安全的连接，加密通过squid的HTTPS信息，将他们以未加密的HTTP信息对待，作为一个中间人的作用。

必须使用ssl_bump选项，才能完全启用CONNECT请求。

Omitting the mode flag causes default forward proxy mode to be used.

省略mode模式，将会默认使用正向代理的模式运行。

 

accel模式选项 Accelerator[options]

• defaultsize=domainname

 

• no-vhost

禁止使用HTTP/1.1主机标头（host header)来支持虚拟域。

• protocol=

重建协议加速模式和拦截模式的请求协议为指定的协议。默认的是HTTP/1.1对应着http_port，HTTPS/1.1对应着https_port。

当一个不被支持的值配置给了squid，squid将会产生一个FATAL error致命的错误。

值可以是：HTTP或者HTTP/1.1，HTTPS或者HTTPS/1.1

• vport

虚拟主机端口支持。使用http_port number的形式代替 the port passed on Host: headers

• vport=NN

虚拟主机端口支持。指定具体的端口号代替 the port passed on Host: headers

• act-as-origin

运作起来squid好像是一个原始服务器一样，当前，这意味着在HIT上生成新的Date：和Expires：标头，而不是添加Age:。

• ignore-cc

忽略请求缓存控制的请求头headers。

提醒：这个选项违反了HTTP规定如果使用在非加速器模式下。

• allow-direct

允许当前的转发运行在加速器模式下。

允许在加速器模式下直接转发。通常，加速请求被拒绝直接转发。就像使用了never_direct选项一样。

警告：这个选项开启加速器模式导致安全漏洞通常受拦截模式的影响。确保使用的路由被适当的http_access配置。

SSL Bump 模式选项[options]

• generate-host-certificates[=<on|off>]

• dynamic_cert_mem_cache_size=SIZE

 

If you run Squid on a dual-homed machine with an internal
    and an external interface we recommend you to specify the
    internal address:port in http_port. This way Squid will only be
    visible on the internal address.

 

###

 

其他信息

分析squid

https://wiki.squid-cache.org/SquidFaq/SquidProfiling

反向代理

https://wiki.squid-cache.org/SquidFaq/ReverseProxy