Squid configuration directive http_port
Available in: 3.1 3.0 2.7 3.HEAD 2.HEAD 2.6
History:
- Changes in 3.1 http_port transparent intercept sslbump connection-auth[=on|off] ignore-cc
-
Option 'transparent' is being deprecated in favour of 'intercept' which more clearly identifies what the option does. For now option 'tproxy' remains with old behaviour meaning fully-invisible proxy using TPROXY support.
New port options
intercept Rename of old 'transparent' option to indicate proper functionality. allow-direct Allow direct forwarding in accelerator mode. Normally accelerated requests are denied direct forwarding as if never_direct was used. connection-auth[=on|off] use connection-auth=off to tell Squid to prevent forwarding Microsoft connection oriented authentication (NTLM, Negotiate and Kerberos) keepalive[=idle,interval,timeout] Enable TCP keepalive probes of idle connections idle is the initial time before TCP starts probing the connection, interval how often to probe, and timeout the time before giving up. ignore-cc Ignore request Cache-Control headers. Warning: This option violates HTTP specifications if used in non-accelerator setups. sslBump Intercept each CONNECT request matching ssl_bump ACL, establish secure connection with the client and with the server, decrypt HTTP messages as they pass through Squid, and treat them as unencrypted HTTP messages, becoming the man-in-the-middle. When this option is enabled, additional options become available to specify SSL-related properties of the client-side connection: cert, key, version, cipher, options, clientca, cafile, capath, crlfile, dhparams, sslflags, and sslcontext. See the https_port directive for more information on these options. The ssl_bump option is required to fully enable the SslBump feature.
- Changes in 3.0 http_port
-
New options:
disable-pmtu-discovery= Control Path-MTU discovery usage: off lets OS decide on what to do (default). transparent disable PMTU discovery when transparent support is enabled. always disable always PMTU discovery. In many setups of transparently intercepting proxies Path-MTU discovery can not work on traffic towards the clients. This is the case when the intercepting device does not fully track connections and fails to forward ICMP must fragment messages to the cache server. If you have such setup and experience that certain clients sporadically hang or never complete requests set disable-pmtu-discovery option to 'transparent'.
- Changes in 2.7 http_port
-
Accelerator mode options cleaned up (accel, defaultsite, vport, vhost and combinations thereof)
new "allow-direct" option
new "act-as-origin" option
new "http11" option (experimental)
new "name=" option
nee "keepalive=" option
- Changes in 3.HEAD http_port
-
no-connection-auth replaced by connection-auth=[on|off]. Default is ON.
transparent option replaced by intercept
- Changes in 2.6 http_port
-
Now takes a list of options in addition to the port address, specifying the purpose of this http_port. Default is plain Internet proxy as usual. Also there is no longer a default port and you must include a http_port directive in your squid.conf if you want Squid to listen for http requests.
Configuration Details:
| Option Name: | http_port |
|---|---|
| Replaces: | ascii_port |
| Requires: | |
| Default Value: | none |
| Suggested Config: |
# Squid normally listens to port 3128 http_port 3128 |
Usage: port [options] hostname:port [options] 1.2.3.4:port [options] The socket addresses where Squid will listen for HTTP client requests. You may specify multiple socket addresses. There are three forms: port alone, hostname with port, and IP address with port. If you specify a hostname or IP address, Squid binds the socket to that specific address. This replaces the old 'tcp_incoming_address' option. Most likely, you do not need to bind to a specific address, so you can use the port number alone. If you are running Squid in accelerator mode, you probably want to listen on port 80 also, or instead. The -a command line option may be used to specify additional port(s) where Squid listens for proxy request. Such ports will be plain proxy ports with no options. You may specify multiple socket addresses on multiple lines. Options: intercept Support for IP-Layer interception of outgoing requests without browser settings. NP: disables authentication and IPv6 on the port. tproxy Support Linux TPROXY for spoofing outgoing connections using the client IP address. NP: disables authentication and maybe IPv6 on the port. accel Accelerator mode. Also needs at least one of vhost / vport / defaultsite. allow-direct Allow direct forwarding in accelerator mode. Normally accelerated requests are denied direct forwarding as if never_direct was used. defaultsite=domainname What to use for the Host: header if it is not present in a request. Determines what site (not origin server) accelerators should consider the default. Implies accel. vhost Accelerator mode using Host header for virtual domain support. Implies accel. vport Accelerator with IP based virtual host support. Implies accel. vport=NN As above, but uses specified port number rather than the http_port number. Implies accel. protocol= Protocol to reconstruct accelerated requests with. Defaults to http. ignore-cc Ignore request Cache-Control headers. Warning: This option violates HTTP specifications if used in non-accelerator setups. connection-auth[=on|off] use connection-auth=off to tell Squid to prevent forwarding Microsoft connection oriented authentication (NTLM, Negotiate and Kerberos) disable-pmtu-discovery= Control Path-MTU discovery usage: off lets OS decide on what to do (default). transparent disable PMTU discovery when transparent support is enabled. always disable always PMTU discovery. In many setups of transparently intercepting proxies Path-MTU discovery can not work on traffic towards the clients. This is the case when the intercepting device does not fully track connections and fails to forward ICMP must fragment messages to the cache server. If you have such setup and experience that certain clients sporadically hang or never complete requests set disable-pmtu-discovery option to 'transparent'. sslBump Intercept each CONNECT request matching ssl_bump ACL, establish secure connection with the client and with the server, decrypt HTTP messages as they pass through Squid, and treat them as unencrypted HTTP messages, becoming the man-in-the-middle. When this option is enabled, additional options become available to specify SSL-related properties of the client-side connection: cert, key, version, cipher, options, clientca, cafile, capath, crlfile, dhparams, sslflags, and sslcontext. See the https_port directive for more information on these options. The ssl_bump option is required to fully enable the SslBump feature. name= Specifies a internal name for the port. Defaults to the port specification (port or addr:port) tcpkeepalive[=idle,interval,timeout] Enable TCP keepalive probes of idle connections idle is the initial time before TCP starts probing the connection, interval how often to probe, and timeout the time before giving up. If you run Squid on a dual-homed machine with an internal and an external interface we recommend you to specify the internal address:port in http_port. This way Squid will only be visible on the internal address. |
|
Search
Introduction
- About Squid
- Why Squid?
- Squid Developers
- How to Help Out
- Getting Squid
- Donate
- Squid Deployment Case-Studies
Documentation
- FAQ | Wiki | Book
- Configuration Reference
- Configuration Guide - Visolve
- Configuration Examples
- Users guide
- Non-English
- Security Advisories
- More...
Support
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products