#	WELCOME TO SQUID 3.1.12
#	----------------------------
#
#	This is the default Squid configuration file. You may wish
#	to look at the Squid home page (http://www.squid-cache.org/)
#	for the FAQ and other documentation.
#
#	The default Squid config file shows what the defaults for
#	various options happen to be.  If you don't need to change the
#	default, you shouldn't uncomment the line.  Doing so may cause
#	run-time problems.  In some cases "none" refers to no default
#	setting at all, while in other cases it refers to a valid
#	option - the comments for that keyword indicate if this is the
#	case.
#

#  Configuration options can be included using the "include" directive.
#  Include takes a list of files to include. Quoting and wildcards is
#  supported.
#
#  For example,
#
#  include /path/to/included/file/squid.acl.config
#
#  Includes can be nested up to a hard-coded depth of 16 levels.
#  This arbitrary restriction is to prevent recursive include references
#  from causing Squid entering an infinite loop whilst trying to load
#  configuration files.

#  TAG: dns_testnames
#	Remove this line. DNS is no longer tested on startup.
#Default:
# none

#  TAG: extension_methods
#	Remove this line. All valid methods for HTTP are accepted by default.
#Default:
# none

#  TAG: incoming_rate
#  TAG: server_http11
#	Remove this line. HTTP/1.1 is supported by default.
#Default:
# none

#  TAG: upgrade_http0.9
#	Remove this line. ICY/1.0 streaming protocol is supported by default.
#Default:
# none

#  TAG: zph_local
#	Alter these entries. Use the qos_flows directive instead.
#Default:
# none

#  TAG: header_access
#	Since squid-3.0 replace with request_header_access or reply_header_access
#	depending on whether you wish to match client requests or server replies.
#Default:
# none

#  TAG: httpd_accel_no_pmtu_disc
#	Since squid-3.0 use the 'disable-pmtu-discovery' flag on http_port instead.
#Default:
# none

# OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------

#  TAG: auth_param
#	This is used to define parameters for the various authentication
#	schemes supported by Squid.
#
#	format: auth_param scheme parameter [setting]
#
#	The order in which authentication schemes are presented to the client is
#	dependent on the order the scheme first appears in config file. IE
#	has a bug (it's not RFC 2617 compliant) in that it will use the basic
#	scheme if basic is the first entry presented, even if more secure
#	schemes are presented. For now use the order in the recommended
#	settings section below. If other browsers have difficulties (don't
#	recognize the schemes offered even if you are using basic) either
#	put basic first, or disable the other schemes (by commenting out their
#	program entry).
#
#	Once an authentication scheme is fully configured, it can only be
#	shutdown by shutting squid down and restarting. Changes can be made on
#	the fly and activated with a reconfigure. I.E. You can change to a
#	different helper, but not unconfigure the helper completely.
#
#	Please note that while this directive defines how Squid processes
#	authentication it does not automatically activate authentication.
#	To use authentication you must in addition make use of ACLs based
#	on login name in http_access (proxy_auth, proxy_auth_regex or
#	external with %LOGIN used in the format tag). The browser will be
#	challenged for authentication on the first such acl encountered
#	in http_access processing and will also be re-challenged for new
#	login credentials if the request is being denied by a proxy_auth
#	type acl.
#
#	WARNING: authentication can't be used in a transparently intercepting
#	proxy as the client then thinks it is talking to an origin server and
#	not the proxy. This is a limitation of bending the TCP/IP protocol to
#	transparently intercepting port 80, not a limitation in Squid.
#	Ports flagged 'transparent', 'intercept', or 'tproxy' have
#	authentication disabled.
#
#	=== Parameters for the basic scheme follow. ===
#
#	"program" cmdline
#	Specify the command for the external authenticator.  Such a program
#	reads a line containing "username password" and replies "OK" or
#	"ERR" in an endless loop. "ERR" responses may optionally be followed
#	by a error description available as %m in the returned error page.
#	If you use an authenticator, make sure you have 1 acl of type
#	proxy_auth.
#
#	By default, the basic authentication scheme is not used unless a
#	program is specified.
#
#	If you want to use the traditional NCSA proxy authentication, set
#	this line to something like
#
#	auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd
#
#	"utf8" on|off
#	HTTP uses iso-latin-1 as characterset, while some authentication
#	backends such as LDAP expects UTF-8. If this is set to on Squid will
#	translate the HTTP iso-latin-1 charset to UTF-8 before sending the
#	username & password to the helper.
#
#	"children" numberofchildren
#	The number of authenticator processes to spawn. If you start too few
#	Squid will have to wait for them to process a backlog of credential
#	verifications, slowing it down. When password verifications are
#	done via a (slow) network you are likely to need lots of
#	authenticator processes.
#	auth_param basic children 5
#
#	"concurrency" concurrency
#	The number of concurrent requests the helper can process.
#	The default of 0 is used for helpers who only supports
#	one request at a time. Setting this changes the protocol used to
#	include a channel number first on the request/response line, allowing
#	multiple requests to be sent to the same helper in parallell without
#	wating for the response.
#	Must not be set unless it's known the helper supports this.
#	auth_param basic concurrency 0
#
#	"realm" realmstring
#	Specifies the realm name which is to be reported to the
#	client for the basic proxy authentication scheme (part of
#	the text the user will see when prompted their username and
#	password). There is no default.
#	auth_param basic realm Squid proxy-caching web server
#
#	"credentialsttl" timetolive
#	Specifies how long squid assumes an externally validated
#	username:password pair is valid for - in other words how
#	often the helper program is called for that user. Set this
#	low to force revalidation with short lived passwords.  Note
#	setting this high does not impact your susceptibility
#	to replay attacks unless you are using an one-time password
#	system (such as SecureID).  If you are using such a system,
#	you will be vulnerable to replay attacks unless you also
#	use the max_user_ip ACL in an http_access rule.
#
#	"casesensitive" on|off
#	Specifies if usernames are case sensitive. Most user databases are
#	case insensitive allowing the same username to be spelled using both
#	lower and upper case letters, but some are case sensitive. This
#	makes a big difference for user_max_ip ACL processing and similar.
#	auth_param basic casesensitive off
#
#	=== Parameters for the digest scheme follow ===
#
#	"program" cmdline
#	Specify the command for the external authenticator.  Such
#	a program reads a line containing "username":"realm" and
#	replies with the appropriate H(A1) value hex encoded or
#	ERR if the user (or his H(A1) hash) does not exists.
#	See rfc 2616 for the definition of H(A1).
#	"ERR" responses may optionally be followed by a error description
#	available as %m in the returned error page.
#
#	By default, the digest authentication scheme is not used unless a
#	program is specified.
#
#	If you want to use a digest authenticator, set this line to
#	something like
#
#	auth_param digest program /usr/bin/digest_pw_auth /usr/etc/digpass
#
#	"utf8" on|off
#	HTTP uses iso-latin-1 as characterset, while some authentication
#	backends such as LDAP expects UTF-8. If this is set to on Squid will
#	translate the HTTP iso-latin-1 charset to UTF-8 before sending the
#	username & password to the helper.
#
#	"children" numberofchildren
#	The number of authenticator processes to spawn (no default).
#	If you start too few Squid will have to wait for them to
#	process a backlog of H(A1) calculations, slowing it down.
#	When the H(A1) calculations are done via a (slow) network
#	you are likely to need lots of authenticator processes.
#	auth_param digest children 5
#
#	"realm" realmstring
#	Specifies the realm name which is to be reported to the
#	client for the digest proxy authentication scheme (part of
#	the text the user will see when prompted their username and
#	password). There is no default.
#	auth_param digest realm Squid proxy-caching web server
#
#	"nonce_garbage_interval" timeinterval
#	Specifies the interval that nonces that have been issued
#	to client_agent's are checked for validity.
#
#	"nonce_max_duration" timeinterval
#	Specifies the maximum length of time a given nonce will be
#	valid for.
#
#	"nonce_max_count" number
#	Specifies the maximum number of times a given nonce can be
#	used.
#
#	"nonce_strictness" on|off
#	Determines if squid requires strict increment-by-1 behavior
#	for nonce counts, or just incrementing (off - for use when
#	useragents generate nonce counts that occasionally miss 1
#	(ie, 1,2,4,6)). Default off.
#
#	"check_nonce_count" on|off
#	This directive if set to off can disable the nonce count check
#	completely to work around buggy digest qop implementations in
#	certain mainstream browser versions. Default on to check the
#	nonce count to protect from authentication replay attacks.
#
#	"post_workaround" on|off
#	This is a workaround to certain buggy browsers who sends
#	an incorrect request digest in POST requests when reusing
#	the same nonce as acquired earlier on a GET request.
#
#	=== NTLM scheme options follow ===
#
#	"program" cmdline
#	Specify the command for the external NTLM authenticator.
#	Such a program reads exchanged NTLMSSP packets with
#	the browser via Squid until authentication is completed.
#	If you use an NTLM authenticator, make sure you have 1 acl
#	of type proxy_auth.  By default, the NTLM authenticator_program
#	is not used.
#
#	auth_param ntlm program /usr/bin/ntlm_auth
#
#	"children" numberofchildren
#	The number of authenticator processes to spawn (no default).
#	If you start too few Squid will have to wait for them to
#	process a backlog of credential verifications, slowing it
#	down. When credential verifications are done via a (slow)
#	network you are likely to need lots of authenticator
#	processes.
#
#	auth_param ntlm children 5
#
#	"keep_alive" on|off
#	Whether to keep the connection open after the initial response where
#	Squid tells the browser which schemes are supported by the proxy.
#	Some browsers are known to present many login popups or to corrupt
#	POST/PUT requests transfer if the connection is not closed.
#	The default is currently OFF to avoid this, but may change.
#	
#	auth_param ntlm keep_alive on
#
#	=== Options for configuring the NEGOTIATE auth-scheme follow ===
#
#	"program" cmdline
#	Specify the command for the external Negotiate authenticator.
#	This protocol is used in Microsoft Active-Directory enabled setups with
#	the Microsoft Internet Explorer or Mozilla Firefox browsers.
#	Its main purpose is to exchange credentials with the Squid proxy
#	using the Kerberos mechanisms.
#	If you use a Negotiate authenticator, make sure you have at least
#	one acl of type proxy_auth active. By default, the negotiate
#	authenticator_program is not used.
#	The only supported program for this role is the ntlm_auth
#	program distributed as part of Samba, version 4 or later.
#
#	auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego
#
#	"children" numberofchildren
#	The number of authenticator processes to spawn (no default).
#	If you start too few Squid will have to wait for them to
#	process a backlog of credential verifications, slowing it
#	down. When crendential verifications are done via a (slow)
#	network you are likely to need lots of authenticator
#	processes.
#	auth_param negotiate children 5
#
#	"keep_alive" on|off
#	Whether to keep the connection open after the initial response where
#	Squid tells the browser which schemes are supported by the proxy.
#	Some browsers are known to present many login popups or to corrupt
#	POST/PUT requests transfer if the connection is not closed.
#	The default is currently OFF to avoid this, but may change.
#	
#	auth_param negotiate keep_alive on
#
#
#	Examples:
#
##Recommended minimum configuration per scheme:
##auth_param negotiate program <uncomment and complete this line to activate>
##auth_param negotiate children 5
##auth_param negotiate keep_alive on
##
##auth_param ntlm program <uncomment and complete this line to activate>
##auth_param ntlm children 5
##auth_param ntlm keep_alive on
##
##auth_param digest program <uncomment and complete this line>
##auth_param digest children 5
##auth_param digest realm Squid proxy-caching web server
##auth_param digest nonce_garbage_interval 5 minutes
##auth_param digest nonce_max_duration 30 minutes
##auth_param digest nonce_max_count 50
##
##auth_param basic program <uncomment and complete this line>
##auth_param basic children 5
##auth_param basic realm Squid proxy-caching web server
##auth_param basic credentialsttl 2 hours
#Default:
# none

