Usage: port [mode] [options]
hostname:port [mode] [options]
1.2.3.4:port [mode] [options]
The socket addresses where Squid will listen for HTTP client
requests. You may specify multiple socket addresses.
There are three forms: port alone, hostname with port, and
IP address with port. If you specify a hostname or IP
address, Squid binds the socket to that specific
address. Most likely, you do not need to bind to a specific
address, so you can use the port number alone.
If you are running Squid in accelerator mode, you
probably want to listen on port 80 also, or instead.
The -a command line option may be used to specify additional
port(s) where Squid listens for proxy request. Such ports will
be plain proxy ports with no options.
You may specify multiple socket addresses on multiple lines.
Modes:
intercept Support for IP-Layer NAT interception delivering
traffic to this Squid port.
NP: disables authentication on the port.
tproxy Support Linux TPROXY (or BSD divert-to) with spoofing
of outgoing connections using the client IP address.
NP: disables authentication on the port.
accel Accelerator / reverse proxy mode
ssl-bump For each CONNECT request allowed by ssl_bump ACLs,
establish secure connection with the client and with
the server, decrypt HTTPS messages as they pass through
Squid, and treat them as unencrypted HTTP messages,
becoming the man-in-the-middle.
The ssl_bump option is required to fully enable
bumping of CONNECT requests.
Omitting the mode flag causes default forward proxy mode to be used.
Accelerator Mode Options:
defaultsite=domainname
What to use for the Host: header if it is not present
in a request. Determines what site (not origin server)
accelerators should consider the default.
no-vhost Disable using HTTP/1.1 Host header for virtual domain support.
protocol= Protocol to reconstruct accelerated and intercepted
requests with. Defaults to HTTP/1.1 for http_port and
HTTPS/1.1 for https_port.
When an unsupported value is configured Squid will
produce a FATAL error.
Values: HTTP or HTTP/1.1, HTTPS or HTTPS/1.1
vport Virtual host port support. Using the http_port number
instead of the port passed on Host: headers.
vport=NN Virtual host port support. Using the specified port
number instead of the port passed on Host: headers.
act-as-origin
Act as if this Squid is the origin server.
This currently means generate new Date: and Expires:
headers on HIT instead of adding Age:.
ignore-cc Ignore request Cache-Control headers.
WARNING: This option violates HTTP specifications if
used in non-accelerator setups.
allow-direct Allow direct forwarding in accelerator mode. Normally
accelerated requests are denied direct forwarding as if
never_direct was used.
WARNING: this option opens accelerator mode to security
vulnerabilities usually only affecting in interception
mode. Make sure to protect forwarding with suitable
http_access rules when using this.
SSL Bump Mode Options:
In addition to these options ssl-bump requires TLS/SSL options.
generate-host-certificates[=<on|off>]
Dynamically create SSL server certificates for the
destination hosts of bumped CONNECT requests.When
enabled, the cert and key options are used to sign
generated certificates. Otherwise generated
certificate will be selfsigned.
If there is a CA certificate lifetime of the generated
certificate equals lifetime of the CA certificate. If
generated certificate is selfsigned lifetime is three
years.
This option is enabled by default when ssl-bump is used.
See the ssl-bump option above for more information.
dynamic_cert_mem_cache_size=SIZE
Approximate total RAM size spent on cached generated
certificates. If set to zero, caching is disabled. The
default value is 4MB.
TLS / SSL Options:
tls-cert= Path to file containing an X.509 certificate (PEM format)
to be used in the TLS handshake ServerHello.
If this certificate is constrained by KeyUsage TLS
feature it must allow HTTP server usage, along with
any additional restrictions imposed by your choice
of options= settings.
When OpenSSL is used this file may also contain a
chain of intermediate CA certificates to send in the
TLS handshake.
When GnuTLS is used this option (and any paired
tls-key= option) may be repeated to load multiple
certificates for different domains.
Also, when generate-host-certificates=on is configured
the first tls-cert= option must be a CA certificate
capable of signing the automatically generated
certificates.
tls-key= Path to a file containing private key file (PEM format)
for the previous tls-cert= option.
If tls-key= is not specified tls-cert= is assumed to
reference a PEM file containing both the certificate
and private key.
cipher= Colon separated list of supported ciphers.
NOTE: some ciphers such as EDH ciphers depend on
additional settings. If those settings are
omitted the ciphers may be silently ignored
by the OpenSSL library.
options= Various SSL implementation options. The most important
being:
NO_SSLv3 Disallow the use of SSLv3
NO_TLSv1 Disallow the use of TLSv1.0
NO_TLSv1_1 Disallow the use of TLSv1.1
NO_TLSv1_2 Disallow the use of TLSv1.2
SINGLE_DH_USE
Always create a new key when using
temporary/ephemeral DH key exchanges
SINGLE_ECDH_USE
Enable ephemeral ECDH key exchange.
The adopted curve should be specified
using the tls-dh option.
NO_TICKET
Disable use of RFC5077 session tickets.
Some servers may have problems
understanding the TLS extension due
to ambiguous specification in RFC4507.
ALL Enable various bug workarounds
suggested as "harmless" by OpenSSL
Be warned that this reduces SSL/TLS
strength to some attacks.
See the OpenSSL SSL_CTX_set_options documentation for a
more complete list.
clientca= File containing the list of CAs to use when
requesting a client certificate.
tls-cafile= PEM file containing CA certificates to use when verifying
client certificates. If not configured clientca will be
used. May be repeated to load multiple files.
capath= Directory containing additional CA certificates
and CRL lists to use when verifying client certificates.
Requires OpenSSL or LibreSSL.
crlfile= File of additional CRL lists to use when verifying
the client certificate, in addition to CRLs stored in
the capath. Implies VERIFY_CRL flag below.
tls-dh=[curve:]file
File containing DH parameters for temporary/ephemeral DH key
exchanges, optionally prefixed by a curve for ephemeral ECDH
key exchanges.
See OpenSSL documentation for details on how to create the
DH parameter file. Supported curves for ECDH can be listed
using the "openssl ecparam -list_curves" command.
WARNING: EDH and EECDH ciphers will be silently disabled if
this option is not set.
sslflags= Various flags modifying the use of SSL:
DELAYED_AUTH
Don't request client certificates
immediately, but wait until acl processing
requires a certificate (not yet implemented).
CONDITIONAL_AUTH
Request a client certificate during the TLS
handshake, but ignore certificate absence in
the TLS client Hello. If the client does
supply a certificate, it is validated.
NO_SESSION_REUSE
Don't allow for session reuse. Each connection
will result in a new SSL session.
VERIFY_CRL
Verify CRL lists when accepting client
certificates.
VERIFY_CRL_ALL
Verify CRL lists for all certificates in the
client certificate chain.
tls-default-ca[=off]
Whether to use the system Trusted CAs. Default is OFF.
tls-no-npn Do not use the TLS NPN extension to advertise HTTP/1.1.
sslcontext= SSL session ID context identifier.
Other Options:
connection-auth[=on|off]
use connection-auth=off to tell Squid to prevent
forwarding Microsoft connection oriented authentication
(NTLM, Negotiate and Kerberos)
disable-pmtu-discovery=
Control Path-MTU discovery usage:
off lets OS decide on what to do (default).
transparent disable PMTU discovery when transparent
support is enabled.
always disable always PMTU discovery.
In many setups of transparently intercepting proxies
Path-MTU discovery can not work on traffic towards the
clients. This is the case when the intercepting device
does not fully track connections and fails to forward
ICMP must fragment messages to the cache server. If you
have such setup and experience that certain clients
sporadically hang or never complete requests set
disable-pmtu-discovery option to 'transparent'.
name= Specifies a internal name for the port. Defaults to
the port specification (port or addr:port)
tcpkeepalive[=idle,interval,timeout]
Enable TCP keepalive probes of idle connections.
In seconds; idle is the initial time before TCP starts
probing the connection, interval how often to probe, and
timeout the time before giving up.
require-proxy-header
Require PROXY protocol version 1 or 2 connections.
The proxy_protocol_access is required to permit
downstream proxies which can be trusted.
worker-queues
Ask TCP stack to maintain a dedicated listening queue
for each worker accepting requests at this port.
Requires TCP stack that supports the SO_REUSEPORT socket
option.
SECURITY WARNING: Enabling worker-specific queues
allows any process running as Squid's effective user to
easily accept requests destined to this port.
If you run Squid on a dual-homed machine with an internal
and an external interface we recommend you to specify the
internal address:port in http_port. This way Squid will only be
visible on the internal address.
# Squid normally listens to port 3128
http_port 3128