Squid_ The Definitive Guide - Duane Wessels [176]
If you run Squid as a surrogate (accelerator), you probably want to accept HTTP connections on port 80. Binding to privileged ports requires root permissions.
Syntax
http_port [hostname:]port [[hostname:]port] ...
Default
http_port 3128
Example
http_port 8080
http_port 3128 3129 3130 3131
http_port 192.168.1.1:3128
Related
https_port, icp_port, htcp_port, snmp_port, httpd_accel_port, http_access
Name
https_port
Synopsis
This directive allows Squid to accept encrypted (SSL or TLS) connections. It is available only when you use the /configure —enable-ssl option.
The mandatory cert= argument specifies the pathname to an SSL certificate file in PEM format. This is the format commonly used by OpenSSL and other security software for portable representation of encryption keys.
The optional key= argument is the path to a private key file. If you omit this option, Squid assumes the former key file also contains a private key.
You can use the version= argument to tell Squid which protocol versions are allowed: 1=automatic, 2=SSLv2 only, 3=SSLv3 only, 4=TLSv1 only.
The cipher= argument is an optional colon-separated list of allowed ciphers. Squid simply passes this list to the SSL_CTX_set_cipher_list( ) function.
Lastly, the options= argument allows you to pass additional configuration parameters to the OpenSSL library. For example, NO_SSLv2, NO_SSLv3, and NO_TLSv1 disable the use of those particular protocols. Additional option keywords are defined in Squid's src/ssl_support.c file.
Syntax
https_port [hostname:]port cert=certificate.pem [key=key.pem] [version=N]
[cipher=list] [options=SSL_Options]
Default
No default
Example
https_port 443 cert=/etc/squid-cert.pem key=/etc/squid-privkey.pem
Related
http_port, http_access
Name
ssl_unclean_shutdown
Synopsis
This a hack borrowed from mod_ssl for Apache. Certain user-agents, notably Microsoft Internet Explorer, may not execute the SSL shutdown procedure correctly, especially when persistent connections are involved. Enabling this directive violates the SSL/TLS standard but may eliminate error messages from broken clients.
Syntax
ssl_unclean_shutdown on|off
Default
ssl_unclean_shutdown off
Example
ssl_unclean_shutdown on
Related
https_port
Name
icp_port
Synopsis
This is the UDP port Squid uses for ICP messages. In particular, it is used both for sending and receiving queries and replies. Your Squid receives ICP queries from other caches on this port. It also receives ICP replies from other caches, in response to its own queries, on this port.
Unlike http_port, you can't specify a list of ICP port numbers. Furthermore, you must use the udp_incoming_address and udp_outgoing_address directives if you want to restrict ICP traffic to a specific interface address.
Setting icp_port to 0 disables ICP.
Syntax
icp_port port
Default
icp_port 3130
Example
icp_port 4130
Related
icp_query_timeout, icp_access, log_icp_queries, icp_hit_stale, udp_incoming_address, htcp_port, http_port, cache_peer
Name
htcp_port
Synopsis
The Hypertext Caching Protocol is an alternative to ICP. It provides better security and better cache hit predictions. However, HTCP messages are larger and more complicated. HTCP must be enabled at compile-time with the —enable-htcp option.
This directive specifies the UDP port Squid uses to send and receive HTCP queries and replies. You may only specify one HTCP port number. As with ICP, the udp_incoming_address and udp_outgoing_address directives also control HTCP packets.
You may configure Squid to receive both ICP and HTCP queries at the same time. Setting htcp_port to 0 disables HTCP.
Syntax
htcp_port port
Default
htcp_port 4827
Example
htcp_port 9999
Related
icp_port, http_port, udp_incoming_address, udp_outgoing_address, cache_peer
Name