Squid_ The Definitive Guide - Duane Wessels [26]
connect_timeout 2 minutes
connect_timeout 1 hour
On the other hand, some directives are actually lists of values. For these, each occurrence of the directive adds a new value to the list. The extension_methods directive works this way:
extension_methods UNGET
extension_methods UNPUT
extension_methods UNPOST
For these list-based directives, you can also usually put multiple values on the same line:
extension_methods UNGET UNPUT UNPOST
Many of the directives have common types. For example, connect_timeout is a time specification that has a number followed by a unit of time. For example:
connect_timeout 3 hours
client_lifetime 4 days
negative_ttl 27 minutes
Similarly, a number of directives refer to the size of a file or chunk of memory. For these, you can write a size specification as a decimal number, followed by bytes, KB, MB, or GB. For example:
minimum_object_size 12 bytes
request_header_max_size 10 KB
maximum_object_size 187 MB
Another type worth mentioning is the toggle, which can be either on or off. Many directives use this type. For example:
server_persistent_connections on
strip_query_terms off
prefer_direct on
In general, the configuration file directives may appear in any order. However, the order is important when one directive makes reference to something defined by another. Access controls are a good example. An acl must be defined before it can be used in an http_access rule:
acl Foo src 1.2.3.4
http_access deny Foo
Many things in squid.conf are case-sensitive, such as directive names. You can't write HTTP_port instead of http_port.
The default squid.conf file contains comments describing each directive, as well as the default values. For example:
# TAG: persistent_request_timeout
# How long to wait for the next HTTP request on a persistent
# connection after the previous request completes.
#
#Default:
# persistent_request_timeout 1 minute
Each time you install Squid, the current default configuration file is saved as squid.conf.default in the $prefix/etc directory. Since directives change from time to time, you can refer to this file for the most up-to-date documentation on squid.conf.
The rest of this chapter is about the handful of directives you need to know before running Squid for the very first time.
User IDs
As you probably know, Unix processes and files have user and group ownership attributes. You need to select a user and group for Squid. This user and group combination must have read and write access to most of the Squid-related files and directories.
I highly recommend creating a dedicated squid user and group. This minimizes the chance that someone can exploit Squid to read other files on the system. If more than one person has administrative authority over Squid, you can add them to the squid group.
Unix processes inherit their parent process' ownership attributes. That is, if you start Squid as user joe, Squid also runs as user joe. If you don't want Squid to run as joe, you need to change your user ID beforehand. This is typically accomplished with the su command. For example:
joe% su - squid
squid% /usr/local/squid/sbin/squid
Unfortunately, running Squid isn't always so simple. In some cases, you may need to start Squid as root, depending on your configuration. For example, only root can bind a TCP socket to privileged ports like port 80. If you need to start Squid as root, you must set the cache_effective_user directive. It tells Squid which user to become after performing the tasks that require special privileges. For example:
cache_effective_user squid
The name that you provide must be a valid user (i.e., in the /etc/passwd file). Furthermore, note that this directive is used only when you start Squid as root. Only root has the ability to become another user. If you start Squid as joe, it can't switch to user squid.
You might be tempted to just run Squid as root without setting cache_effective_user. If you try, you'll find that Squid refuses to run. This, again, is due to security concerns. If an outsider were somehow able to