
#  TAG: adapted_http_access
#	Allowing or Denying access based on defined access lists
#
#	Essentially identical to http_access, but runs after redirectors
#	and ICAP/eCAP adaptation. Allowing access control based on their
#	output.
#
#	If not set then only http_access is used.
#Default:
# none

#  TAG: http_reply_access
#	Allow replies to client requests. This is complementary to http_access.
#
#	http_reply_access allow|deny [!] aclname ...
#
#	NOTE: if there are no access lines present, the default is to allow
#	all replies
#
#	If none of the access lines cause a match the opposite of the
#	last line will apply. Thus it is good practice to end the rules
#	with an "allow all" or "deny all" entry.
#
#	This clause supports both fast and slow acl types.
#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# none

#  TAG: icp_access
#	Allowing or Denying access to the ICP port based on defined
#	access lists
#
#	icp_access  allow|deny [!]aclname ...
#
#	See http_access for details
#
#	This clause only supports fast acl types.
#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
## Allow ICP queries from local networks only
##icp_access allow localnet
##icp_access deny all
#Default:
# icp_access deny all

#  TAG: htcp_access
#	Allowing or Denying access to the HTCP port based on defined
#	access lists
#
#	htcp_access  allow|deny [!]aclname ...
#
#	See http_access for details
#
#	NOTE: The default if no htcp_access lines are present is to
#	deny all traffic. This default may cause problems with peers
#	using the htcp or htcp-oldsquid options.
#
#	This clause only supports fast acl types.
#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
## Allow HTCP queries from local networks only
##htcp_access allow localnet
##htcp_access deny all
#Default:
# htcp_access deny all

#  TAG: htcp_clr_access
#	Allowing or Denying access to purge content using HTCP based
#	on defined access lists
#
#	htcp_clr_access  allow|deny [!]aclname ...
#
#	See http_access for details
#
#	This clause only supports fast acl types.
#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
## Allow HTCP CLR requests from trusted peers
#acl htcp_clr_peer src 172.16.1.2
#htcp_clr_access allow htcp_clr_peer
#Default:
# htcp_clr_access deny all

#  TAG: miss_access
#	Use to force your neighbors to use you as a sibling instead of
#	a parent.  For example:
#
#		acl localclients src 172.16.0.0/16
#		miss_access allow localclients
#		miss_access deny  !localclients
#
#	This means only your local clients are allowed to fetch
#	MISSES and all other clients can only fetch HITS.
#
#	By default, allow all clients who passed the http_access rules
#	to fetch MISSES from us.
#
#	This clause only supports fast acl types.
#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# miss_access allow all

#  TAG: ident_lookup_access
#	A list of ACL elements which, if matched, cause an ident
#	(RFC 931) lookup to be performed for this request.  For
#	example, you might choose to always perform ident lookups
#	for your main multi-user Unix boxes, but not for your Macs
#	and PCs.  By default, ident lookups are not performed for
#	any requests.
#
#	To enable ident lookups for specific client addresses, you
#	can follow this example:
#
#	acl ident_aware_hosts src 198.168.1.0/24
#	ident_lookup_access allow ident_aware_hosts
#	ident_lookup_access deny all
#
#	Only src type ACL checks are fully supported.  A srcdomain
#	ACL might work at times, but it will not always provide
#	the correct result.
#
#	This clause only supports fast acl types.
#	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#Default:
# ident_lookup_access deny all

#  TAG: reply_body_max_size	size [acl acl...]
#	This option specifies the maximum size of a reply body. It can be
#	used to prevent users from downloading very large files, such as
#	MP3's and movies. When the reply headers are received, the
#	reply_body_max_size lines are processed, and the first line where
#	all (if any) listed ACLs are true is used as the maximum body size
#	for this reply.
#
#	This size is checked twice. First when we get the reply headers,
#	we check the content-length value.  If the content length value exists
#	and is larger than the allowed size, the request is denied and the
#	user receives an error message that says "the request or reply
#	is too large." If there is no content-length, and the reply
#	size exceeds this limit, the client's connection is just closed
#	and they will receive a partial reply.
#
#	WARNING: downstream caches probably can not detect a partial reply
#	if there is no content-length header, so they will cache
#	partial responses and give them out as hits.  You should NOT
#	use this option if you have downstream caches.
#
#	WARNING: A maximum size smaller than the size of squid's error messages
#	will cause an infinite loop and crash squid. Ensure that the smallest
#	non-zero value you use is greater that the maximum header size plus
#	the size of your largest error page.
#
#	If you set this parameter none (the default), there will be
#	no limit imposed.
#
#	Configuration Format is:
#		reply_body_max_size SIZE UNITS [acl ...]
#	ie.
#		reply_body_max_size 10 MB
#
#Default:
# none

# NETWORK OPTIONS
# -----------------------------------------------------------------------------

#  TAG: http_port
#	Usage:	port [options]
#		hostname:port [options]
#		1.2.3.4:port [options]
#
#	The socket addresses where Squid will listen for HTTP client
#	requests.  You may specify multiple socket addresses.
#	There are three forms: port alone, hostname with port, and
#	IP address with port.  If you specify a hostname or IP
#	address, Squid binds the socket to that specific
#	address.  This replaces the old 'tcp_incoming_address'
#	option.  Most likely, you do not need to bind to a specific
#	address, so you can use the port number alone.
#
#	If you are running Squid in accelerator mode, you
#	probably want to listen on port 80 also, or instead.
#
#	The -a command line option may be used to specify additional
#	port(s) where Squid listens for proxy request. Such ports will
#	be plain proxy ports with no options.
#
#	You may specify multiple socket addresses on multiple lines.
#
#	Options:
#
#	   intercept	Support for IP-Layer interception of
#			outgoing requests without browser settings.
#			NP: disables authentication and IPv6 on the port.
#
#	   tproxy	Support Linux TPROXY for spoofing outgoing
#			connections using the client IP address.
#			NP: disables authentication and maybe IPv6 on the port.
#
#	   accel	Accelerator mode. Also needs at least one of
#			vhost / vport / defaultsite.
#
#	   allow-direct	Allow direct forwarding in accelerator mode. Normally
#			accelerated requests are denied direct forwarding as if
#			never_direct was used.
#
#	   defaultsite=domainname
#			What to use for the Host: header if it is not present
#			in a request. Determines what site (not origin server)
#			accelerators should consider the default.
#			Implies accel.
#
#	   vhost	Accelerator mode using Host header for virtual
#			domain support. Implies accel.
#
#	   vport	Accelerator with IP based virtual host support.
#			Implies accel.
#
#	   vport=NN	As above, but uses specified port number rather
#			than the http_port number. Implies accel.
#
#	   protocol=	Protocol to reconstruct accelerated requests with.
#			Defaults to http.
#
#	   ignore-cc	Ignore request Cache-Control headers.
#
#	   		Warning: This option violates HTTP specifications if
#			used in non-accelerator setups.
#
#	   connection-auth[=on|off]
#	                use connection-auth=off to tell Squid to prevent 
#	                forwarding Microsoft connection oriented authentication
#			(NTLM, Negotiate and Kerberos)
#
#	   disable-pmtu-discovery=
#			Control Path-MTU discovery usage:
#			    off		lets OS decide on what to do (default).
#			    transparent	disable PMTU discovery when transparent
#					support is enabled.
#			    always	disable always PMTU discovery.
#
#			In many setups of transparently intercepting proxies
#			Path-MTU discovery can not work on traffic towards the
#			clients. This is the case when the intercepting device
#			does not fully track connections and fails to forward
#			ICMP must fragment messages to the cache server. If you
#			have such setup and experience that certain clients
#			sporadically hang or never complete requests set
#			disable-pmtu-discovery option to 'transparent'.
#
#	   ssl-bump 	Intercept each CONNECT request matching ssl_bump ACL,
#			establish secure connection with the client and with
#			the server, decrypt HTTP messages as they pass through
#			Squid, and treat them as unencrypted HTTP messages,
#			becoming the man-in-the-middle.
#
#			When this option is enabled, additional options become
#			available to specify SSL-related properties of the
#			client-side connection: cert, key, version, cipher,
#			options, clientca, cafile, capath, crlfile, dhparams,
#			sslflags, and sslcontext. See the https_port directive
#			for more information on these options.
#
#			The ssl_bump option is required to fully enable
#			the SslBump feature.
#
#	   name=	Specifies a internal name for the port. Defaults to
#			the port specification (port or addr:port)
#
#	   tcpkeepalive[=idle,interval,timeout]
#			Enable TCP keepalive probes of idle connections.
#			In seconds; idle is the initial time before TCP starts
#			probing the connection, interval how often to probe, and
#			timeout the time before giving up.
#
#	If you run Squid on a dual-homed machine with an internal
#	and an external interface we recommend you to specify the
#	internal address:port in http_port. This way Squid will only be
#	visible on the internal address.
#
#

# Squid normally listens to port 3128
#http_port 3128
