# Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: senad.cimic@thomson.com-20100518202454-hsn5t6f9otv0rdrd # target_branch: http://www.squid-cache.org/bzr/squid3/trunk/ # testament_sha1: ea9e1c97e63bbd097b5d0e4383d8cd643dd64b35 # timestamp: 2010-05-18 15:46:29 -0500 # message: Squid Revisions (testing...) # base_revision_id: squid3@treenet.co.nz-20100515180041-\ # b3208n87xrglhcey # # Begin patch === modified file 'src/cf.data.pre' --- src/cf.data.pre 2010-05-14 05:37:19 +0000 +++ src/cf.data.pre 2010-05-18 20:24:54 +0000 @@ -1,6944 +1,6955 @@ -# -# SQUID Web Proxy Cache http://www.squid-cache.org/ -# ---------------------------------------------------------- -# -# Squid is the result of efforts by numerous individuals from -# the Internet community; see the CONTRIBUTORS file for full -# details. Many organizations have provided support for Squid's -# development; see the SPONSORS file for full details. Squid is -# Copyrighted (C) 2000 by the Regents of the University of -# California; see the COPYRIGHT file for full details. Squid -# incorporates software developed and/or copyrighted by other -# sources; see the CREDITS file for full details. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. -# - -COMMENT_START - WELCOME TO @SQUID@ - ---------------------------- - - This is the default Squid configuration file. You may wish - to look at the Squid home page (http://www.squid-cache.org/) - for the FAQ and other documentation. - - The default Squid config file shows what the defaults for - various options happen to be. If you don't need to change the - default, you shouldn't uncomment the line. Doing so may cause - run-time problems. In some cases "none" refers to no default - setting at all, while in other cases it refers to a valid - option - the comments for that keyword indicate if this is the - case. - -COMMENT_END - -COMMENT_START - Configuration options can be included using the "include" directive. - Include takes a list of files to include. Quoting and wildcards is - supported. - - For example, - - include /path/to/included/file/squid.acl.config - - Includes can be nested up to a hard-coded depth of 16 levels. - This arbitrary restriction is to prevent recursive include references - from causing Squid entering an infinite loop whilst trying to load - configuration files. -COMMENT_END - -COMMENT_START - OPTIONS FOR AUTHENTICATION - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: auth_param -TYPE: authparam -LOC: Config.authConfiguration -DEFAULT: none -DOC_START - This is used to define parameters for the various authentication - schemes supported by Squid. - - format: auth_param scheme parameter [setting] - - The order in which authentication schemes are presented to the client is - dependent on the order the scheme first appears in config file. IE - has a bug (it's not RFC 2617 compliant) in that it will use the basic - scheme if basic is the first entry presented, even if more secure - schemes are presented. For now use the order in the recommended - settings section below. If other browsers have difficulties (don't - recognize the schemes offered even if you are using basic) either - put basic first, or disable the other schemes (by commenting out their - program entry). - - Once an authentication scheme is fully configured, it can only be - shutdown by shutting squid down and restarting. Changes can be made on - the fly and activated with a reconfigure. I.E. You can change to a - different helper, but not unconfigure the helper completely. - - Please note that while this directive defines how Squid processes - authentication it does not automatically activate authentication. - To use authentication you must in addition make use of ACLs based - on login name in http_access (proxy_auth, proxy_auth_regex or - external with %LOGIN used in the format tag). The browser will be - challenged for authentication on the first such acl encountered - in http_access processing and will also be re-challenged for new - login credentials if the request is being denied by a proxy_auth - type acl. - - WARNING: authentication can't be used in a transparently intercepting - proxy as the client then thinks it is talking to an origin server and - not the proxy. This is a limitation of bending the TCP/IP protocol to - transparently intercepting port 80, not a limitation in Squid. - Ports flagged 'transparent', 'intercept', or 'tproxy' have - authentication disabled. - - === Parameters for the basic scheme follow. === - - "program" cmdline - Specify the command for the external authenticator. Such a program - reads a line containing "username password" and replies "OK" or - "ERR" in an endless loop. "ERR" responses may optionally be followed - by a error description available as %m in the returned error page. - If you use an authenticator, make sure you have 1 acl of type - proxy_auth. - - By default, the basic authentication scheme is not used unless a - program is specified. - - If you want to use the traditional NCSA proxy authentication, set - this line to something like - - auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd - - "utf8" on|off - HTTP uses iso-latin-1 as characterset, while some authentication - backends such as LDAP expects UTF-8. If this is set to on Squid will - translate the HTTP iso-latin-1 charset to UTF-8 before sending the - username & password to the helper. - - "children" numberofchildren [startup=N] [idle=N] [concurrency=N] - The maximum number of authenticator processes to spawn. If you start too few - Squid will have to wait for them to process a backlog of credential - verifications, slowing it down. When password verifications are - done via a (slow) network you are likely to need lots of - authenticator processes. - - The startup= and idle= options permit some skew in the exact amount - run. A minimum of startup=N will begin during startup and reconfigure - and Squid will start more in groups of up to idle=N in an attempt to meet - traffic needs and to keep idle=N free above those traffic needs up to - the maximum. - - The concurrency= option sets the number of concurrent requests the - helper can process. The default of 0 is used for helpers who only - supports one request at a time. Setting this to a number greater than - 0 changes the protocol used to include a channel number first on the - request/response line, allowing multiple requests to be sent to the - same helper in parallell without wating for the response. - Must not be set unless it's known the helper supports this. - - auth_param basic children 20 startup=0 idle=1 - - "realm" realmstring - Specifies the realm name which is to be reported to the - client for the basic proxy authentication scheme (part of - the text the user will see when prompted their username and - password). There is no default. - auth_param basic realm Squid proxy-caching web server - - "credentialsttl" timetolive - Specifies how long squid assumes an externally validated - username:password pair is valid for - in other words how - often the helper program is called for that user. Set this - low to force revalidation with short lived passwords. Note - setting this high does not impact your susceptibility - to replay attacks unless you are using an one-time password - system (such as SecureID). If you are using such a system, - you will be vulnerable to replay attacks unless you also - use the max_user_ip ACL in an http_access rule. - - "casesensitive" on|off - Specifies if usernames are case sensitive. Most user databases are - case insensitive allowing the same username to be spelled using both - lower and upper case letters, but some are case sensitive. This - makes a big difference for user_max_ip ACL processing and similar. - auth_param basic casesensitive off - - === Parameters for the digest scheme follow === - - "program" cmdline - Specify the command for the external authenticator. Such - a program reads a line containing "username":"realm" and - replies with the appropriate H(A1) value hex encoded or - ERR if the user (or his H(A1) hash) does not exists. - See rfc 2616 for the definition of H(A1). - "ERR" responses may optionally be followed by a error description - available as %m in the returned error page. - - By default, the digest authentication scheme is not used unless a - program is specified. - - If you want to use a digest authenticator, set this line to - something like - - auth_param digest program @DEFAULT_PREFIX@/bin/digest_pw_auth @DEFAULT_PREFIX@/etc/digpass - - "utf8" on|off - HTTP uses iso-latin-1 as characterset, while some authentication - backends such as LDAP expects UTF-8. If this is set to on Squid will - translate the HTTP iso-latin-1 charset to UTF-8 before sending the - username & password to the helper. - - "children" numberofchildren [startup=N] [idle=N] [concurrency=N] - The maximum number of authenticator processes to spawn (default 5). - If you start too few Squid will have to wait for them to - process a backlog of H(A1) calculations, slowing it down. - When the H(A1) calculations are done via a (slow) network - you are likely to need lots of authenticator processes. - - The startup= and idle= options permit some skew in the exact amount - run. A minimum of startup=N will begin during startup and reconfigure - and Squid will start more in groups of up to idle=N in an attempt to meet - traffic needs and to keep idle=N free above those traffic needs up to - the maximum. - - The concurrency= option sets the number of concurrent requests the - helper can process. The default of 0 is used for helpers who only - supports one request at a time. Setting this to a number greater than - 0 changes the protocol used to include a channel number first on the - request/response line, allowing multiple requests to be sent to the - same helper in parallell without wating for the response. - Must not be set unless it's known the helper supports this. - - auth_param digest children 20 startup=0 idle=1 - - "realm" realmstring - Specifies the realm name which is to be reported to the - client for the digest proxy authentication scheme (part of - the text the user will see when prompted their username and - password). There is no default. - auth_param digest realm Squid proxy-caching web server - - "nonce_garbage_interval" timeinterval - Specifies the interval that nonces that have been issued - to client_agent's are checked for validity. - - "nonce_max_duration" timeinterval - Specifies the maximum length of time a given nonce will be - valid for. - - "nonce_max_count" number - Specifies the maximum number of times a given nonce can be - used. - - "nonce_strictness" on|off - Determines if squid requires strict increment-by-1 behavior - for nonce counts, or just incrementing (off - for use when - useragents generate nonce counts that occasionally miss 1 - (ie, 1,2,4,6)). Default off. - - "check_nonce_count" on|off - This directive if set to off can disable the nonce count check - completely to work around buggy digest qop implementations in - certain mainstream browser versions. Default on to check the - nonce count to protect from authentication replay attacks. - - "post_workaround" on|off - This is a workaround to certain buggy browsers who sends - an incorrect request digest in POST requests when reusing - the same nonce as acquired earlier on a GET request. - - === NTLM scheme options follow === - - "program" cmdline - Specify the command for the external NTLM authenticator. - Such a program reads exchanged NTLMSSP packets with - the browser via Squid until authentication is completed. - If you use an NTLM authenticator, make sure you have 1 acl - of type proxy_auth. By default, the NTLM authenticator_program - is not used. - - auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth - - "children" numberofchildren [startup=N] [idle=N] - The maximum number of authenticator processes to spawn (default 5). - If you start too few Squid will have to wait for them to - process a backlog of credential verifications, slowing it - down. When credential verifications are done via a (slow) - network you are likely to need lots of authenticator - processes. - - The startup= and idle= options permit some skew in the exact amount - run. A minimum of startup=N will begin during startup and reconfigure - and Squid will start more in groups of up to idle=N in an attempt to meet - traffic needs and to keep idle=N free above those traffic needs up to - the maximum. - - auth_param ntlm children 20 startup=0 idle=1 - - "keep_alive" on|off - If you experience problems with PUT/POST requests when using the - Negotiate authentication scheme then you can try setting this to - off. This will cause Squid to forcibly close the connection on - the initial requests where the browser asks which schemes are - supported by the proxy. - - auth_param ntlm keep_alive on - - === Options for configuring the NEGOTIATE auth-scheme follow === - - "program" cmdline - Specify the command for the external Negotiate authenticator. - This protocol is used in Microsoft Active-Directory enabled setups with - the Microsoft Internet Explorer or Mozilla Firefox browsers. - Its main purpose is to exchange credentials with the Squid proxy - using the Kerberos mechanisms. - If you use a Negotiate authenticator, make sure you have at least - one acl of type proxy_auth active. By default, the negotiate - authenticator_program is not used. - The only supported program for this role is the ntlm_auth - program distributed as part of Samba, version 4 or later. - - auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego - - "children" numberofchildren [startup=N] [idle=N] - The maximum number of authenticator processes to spawn (default 5). - If you start too few Squid will have to wait for them to - process a backlog of credential verifications, slowing it - down. When crendential verifications are done via a (slow) - network you are likely to need lots of authenticator - processes. - - The startup= and idle= options permit some skew in the exact amount - run. A minimum of startup=N will begin during startup and reconfigure - and Squid will start more in groups of up to idle=N in an attempt to meet - traffic needs and to keep idle=N free above those traffic needs up to - the maximum. - - auth_param negotiate children 20 startup=0 idle=1 - - "keep_alive" on|off - If you experience problems with PUT/POST requests when using the - Negotiate authentication scheme then you can try setting this to - off. This will cause Squid to forcibly close the connection on - the initial requests where the browser asks which schemes are - supported by the proxy. - - auth_param negotiate keep_alive on - - - Examples: - -#Recommended minimum configuration per scheme: -#auth_param negotiate program -#auth_param negotiate children 20 startup=0 idle=1 -#auth_param negotiate keep_alive on -# -#auth_param ntlm program -#auth_param ntlm children 20 startup=0 idle=1 -#auth_param ntlm keep_alive on -# -#auth_param digest program -#auth_param digest children 20 startup=0 idle=1 -#auth_param digest realm Squid proxy-caching web server -#auth_param digest nonce_garbage_interval 5 minutes -#auth_param digest nonce_max_duration 30 minutes -#auth_param digest nonce_max_count 50 -# -#auth_param basic program -#auth_param basic children 5 stratup=5 idle=1 -#auth_param basic realm Squid proxy-caching web server -#auth_param basic credentialsttl 2 hours -DOC_END - -NAME: authenticate_cache_garbage_interval -TYPE: time_t -DEFAULT: 1 hour -LOC: Config.authenticateGCInterval -DOC_START - The time period between garbage collection across the username cache. - This is a tradeoff between memory utilization (long intervals - say - 2 days) and CPU (short intervals - say 1 minute). Only change if you - have good reason to. -DOC_END - -NAME: authenticate_ttl -TYPE: time_t -DEFAULT: 1 hour -LOC: Config.authenticateTTL -DOC_START - The time a user & their credentials stay in the logged in - user cache since their last request. When the garbage - interval passes, all user credentials that have passed their - TTL are removed from memory. -DOC_END - -NAME: authenticate_ip_ttl -TYPE: time_t -LOC: Config.authenticateIpTTL -DEFAULT: 0 seconds -DOC_START - If you use proxy authentication and the 'max_user_ip' ACL, - this directive controls how long Squid remembers the IP - addresses associated with each user. Use a small value - (e.g., 60 seconds) if your users might change addresses - quickly, as is the case with dialups. You might be safe - using a larger value (e.g., 2 hours) in a corporate LAN - environment with relatively static address assignments. -DOC_END - -COMMENT_START - ACCESS CONTROLS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: external_acl_type -TYPE: externalAclHelper -LOC: Config.externalAclHelperList -DEFAULT: none -DOC_START - This option defines external acl classes using a helper program - to look up the status - - external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] - - Options: - - ttl=n TTL in seconds for cached results (defaults to 3600 - for 1 hour) - negative_ttl=n - TTL for cached negative lookups (default same - as ttl) - children-max=n - Maximum number of acl helper processes spawned to service - external acl lookups of this type. (default 20) - children-startup=n - Minimum number of acl helper processes to spawn during - startup and reconfigure to service external acl lookups - of this type. (default 0) - children-idle=n - Number of acl helper processes to keep ahead of traffic - loads. Squid will spawn this many at once whenever load - rises above the capabilities of existing processes. - Up to the value of children-max. (default 1) - concurrency=n concurrency level per process. Only used with helpers - capable of processing more than one query at a time. - cache=n limit the result cache size, default is unbounded. - grace=n Percentage remaining of TTL where a refresh of a - cached entry should be initiated without needing to - wait for a new reply. (default is for no grace period) - protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers - ipv4 / ipv6 IP-mode used to communicate to this helper. - For compatability with older configurations and helpers - the default is 'ipv4'. - - FORMAT specifications - - %LOGIN Authenticated user login name - %EXT_USER Username from external acl - %IDENT Ident user name - %SRC Client IP - %SRCPORT Client source port - %URI Requested URI - %DST Requested host - %PROTO Requested protocol - %PORT Requested port - %PATH Requested URL path - %METHOD Request method - %MYADDR Squid interface address - %MYPORT Squid http_port number - %PATH Requested URL-path (including query-string if any) - %USER_CERT SSL User certificate in PEM format - %USER_CERTCHAIN SSL User certificate chain in PEM format - %USER_CERT_xx SSL User certificate subject attribute xx - %USER_CA_xx SSL User certificate issuer attribute xx - - %>{Header} HTTP request header "Header" - %>{Hdr:member} - HTTP request header "Hdr" list member "member" - %>{Hdr:;member} - HTTP request header list member using ; as - list separator. ; can be any non-alphanumeric - character. - - %<{Header} HTTP reply header "Header" - %<{Hdr:member} - HTTP reply header "Hdr" list member "member" - %<{Hdr:;member} - HTTP reply header list member using ; as - list separator. ; can be any non-alphanumeric - character. - - In addition to the above, any string specified in the referencing - acl will also be included in the helper request line, after the - specified formats (see the "acl external" directive) - - The helper receives lines per the above format specification, - and returns lines starting with OK or ERR indicating the validity - of the request and optionally followed by additional keywords with - more details. - - General result syntax: - - OK/ERR keyword=value ... - - Defined keywords: - - user= The users name (login) - password= The users password (for login= cache_peer option) - message= Message describing the reason. Available as %o - in error pages - tag= Apply a tag to a request (for both ERR and OK results) - Only sets a tag, does not alter existing tags. - log= String to be logged in access.log. Available as - %ea in logformat specifications - - If protocol=3.0 (the default) then URL escaping is used to protect - each value in both requests and responses. - - If using protocol=2.5 then all values need to be enclosed in quotes - if they may contain whitespace, or the whitespace escaped using \. - And quotes or \ characters within the keyword value must be \ escaped. - - When using the concurrency= option the protocol is changed by - introducing a query channel tag infront of the request/response. - The query channel tag is a number between 0 and concurrency-1. -DOC_END - -NAME: acl -TYPE: acl -LOC: Config.aclList -DEFAULT: all src all -DOC_START - Defining an Access List - - Every access list definition must begin with an aclname and acltype, - followed by either type-specific arguments or a quoted filename that - they are read from. - - acl aclname acltype argument ... - acl aclname acltype "file" ... - - When using "file", the file should contain one item per line. - - By default, regular expressions are CASE-SENSITIVE. To make - them case-insensitive, use the -i option. - - Some acl types require suspending the current request in order - to access some external data source. - Those which do are marked with the tag [slow], those which - don't are marked as [fast]. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl - for further information - - ***** ACL TYPES AVAILABLE ***** - - acl aclname src ip-address/netmask ... # clients IP address [fast] - acl aclname src addr1-addr2/netmask ... # range of addresses [fast] - acl aclname dst ip-address/netmask ... # URL host's IP address [slow] - acl aclname myip ip-address/netmask ... # local socket IP address [fast] - - acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) - # The arp ACL requires the special configure option --enable-arp-acl. - # Furthermore, the ARP ACL code is not portable to all operating systems. - # It works on Linux, Solaris, Windows, FreeBSD, and some - # other *BSD variants. - # [fast] - # - # NOTE: Squid can only determine the MAC address for clients that are on - # the same subnet. If the client is on a different subnet, - # then Squid cannot find out its MAC address. - - acl aclname srcdomain .foo.com ... - # reverse lookup, from client IP [slow] - acl aclname dstdomain .foo.com ... - # Destination server from URL [fast] - acl aclname srcdom_regex [-i] \.foo\.com ... - # regex matching client name [slow] - acl aclname dstdom_regex [-i] \.foo\.com ... - # regex matching server [fast] - # - # For dstdomain and dstdom_regex a reverse lookup is tried if a IP - # based URL is used and no match is found. The name "none" is used - # if the reverse lookup fails. - - acl aclname src_as number ... - acl aclname dst_as number ... - # [fast] - # Except for access control, AS numbers can be used for - # routing of requests to specific caches. Here's an - # example for routing all requests for AS#1241 and only - # those to mycache.mydomain.net: - # acl asexample dst_as 1241 - # cache_peer_access mycache.mydomain.net allow asexample - # cache_peer_access mycache_mydomain.net deny all - - acl aclname peername myPeer ... - # [fast] - # match against a named cache_peer entry - # set unique name= on cache_peer lines for reliable use. - - acl aclname time [day-abbrevs] [h1:m1-h2:m2] - # [fast] - # day-abbrevs: - # S - Sunday - # M - Monday - # T - Tuesday - # W - Wednesday - # H - Thursday - # F - Friday - # A - Saturday - # h1:m1 must be less than h2:m2 - - acl aclname url_regex [-i] ^http:// ... - # regex matching on whole URL [fast] - acl aclname urlpath_regex [-i] \.gif$ ... - # regex matching on URL path [fast] - - acl aclname port 80 70 21 0-1024... # destination TCP port [fast] - # ranges are alloed - acl aclname myport 3128 ... # local socket TCP port [fast] - acl aclname myportname 3128 ... # http(s)_port name [fast] - - acl aclname proto HTTP FTP ... # request protocol [fast] - - acl aclname method GET POST ... # HTTP request method [fast] - - acl aclname http_status 200 301 500- 400-403 ... - # status code in reply [fast] - - acl aclname browser [-i] regexp ... - # pattern match on User-Agent header (see also req_header below) [fast] - - acl aclname referer_regex [-i] regexp ... - # pattern match on Referer header [fast] - # Referer is highly unreliable, so use with care - - acl aclname ident username ... - acl aclname ident_regex [-i] pattern ... - # string match on ident output [slow] - # use REQUIRED to accept any non-null ident. - - acl aclname proxy_auth [-i] username ... - acl aclname proxy_auth_regex [-i] pattern ... - # perform http authentication challenge to the client and match against - # supplied credentials [slow] - # - # takes a list of allowed usernames. - # use REQUIRED to accept any valid username. - # - # Will use proxy authentication in forward-proxy scenarios, and plain - # http authenticaiton in reverse-proxy scenarios - # - # NOTE: when a Proxy-Authentication header is sent but it is not - # needed during ACL checking the username is NOT logged - # in access.log. - # - # NOTE: proxy_auth requires a EXTERNAL authentication program - # to check username/password combinations (see - # auth_param directive). - # - # NOTE: proxy_auth can't be used in a transparent/intercepting proxy - # as the browser needs to be configured for using a proxy in order - # to respond to proxy authentication. - - acl aclname snmp_community string ... - # A community string to limit access to your SNMP Agent [fast] - # Example: - # - # acl snmppublic snmp_community public - - acl aclname maxconn number - # This will be matched when the client's IP address has - # more than HTTP connections established. [fast] - - acl aclname max_user_ip [-s] number - # This will be matched when the user attempts to log in from more - # than different ip addresses. The authenticate_ip_ttl - # parameter controls the timeout on the ip entries. [fast] - # If -s is specified the limit is strict, denying browsing - # from any further IP addresses until the ttl has expired. Without - # -s Squid will just annoy the user by "randomly" denying requests. - # (the counter is reset each time the limit is reached and a - # request is denied) - # NOTE: in acceleration mode or where there is mesh of child proxies, - # clients may appear to come from multiple addresses if they are - # going through proxy farms, so a limit of 1 may cause user problems. - - acl aclname random probability - # Pseudo-randomly match requests. Based on the probability given. - # Probability may be written as a decimal (0.333), fraction (1/3) - # or ratio of matches:non-matches (3:5). - - acl aclname req_mime_type [-i] mime-type ... - # regex match against the mime type of the request generated - # by the client. Can be used to detect file upload or some - # types HTTP tunneling requests [fast] - # NOTE: This does NOT match the reply. You cannot use this - # to match the returned file type. - - acl aclname req_header header-name [-i] any\.regex\.here - # regex match against any of the known request headers. May be - # thought of as a superset of "browser", "referer" and "mime-type" - # ACL [fast] - - acl aclname rep_mime_type [-i] mime-type ... - # regex match against the mime type of the reply received by - # squid. Can be used to detect file download or some - # types HTTP tunneling requests. [fast] - # NOTE: This has no effect in http_access rules. It only has - # effect in rules that affect the reply data stream such as - # http_reply_access. - - acl aclname rep_header header-name [-i] any\.regex\.here - # regex match against any of the known reply headers. May be - # thought of as a superset of "browser", "referer" and "mime-type" - # ACLs [fast] - - acl aclname external class_name [arguments...] - # external ACL lookup via a helper class defined by the - # external_acl_type directive [slow] - - acl aclname user_cert attribute values... - # match against attributes in a user SSL certificate - # attribute is one of DN/C/O/CN/L/ST [fast] - - acl aclname ca_cert attribute values... - # match against attributes a users issuing CA SSL certificate - # attribute is one of DN/C/O/CN/L/ST [fast] - - acl aclname ext_user username ... - acl aclname ext_user_regex [-i] pattern ... - # string match on username returned by external acl helper [slow] - # use REQUIRED to accept any non-null user name. - - acl aclname tag tagvalue ... - # string match on tag returned by external acl helper [slow] - - acl aclname hier_code codename ... - # string match against squid hierarchy code(s); [fast] - # e.g., DIRECT, PARENT_HIT, NONE, etc. - # - # NOTE: This has no effect in http_access rules. It only has - # effect in rules that affect the reply data stream such as - # http_reply_access. - - Examples: - acl macaddress arp 09:00:2b:23:45:67 - acl myexample dst_as 1241 - acl password proxy_auth REQUIRED - acl fileupload req_mime_type -i ^multipart/form-data$ - acl javascript rep_mime_type -i ^application/x-javascript$ - -NOCOMMENT_START -# -# Recommended minimum configuration: -# -acl manager proto cache_object -acl localhost src 127.0.0.1/32 -@IPV6_ONLY_SETTING@acl localhost src ::1/128 -acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 -@IPV6_ONLY_SETTING@acl to_localhost dst ::1/128 - -# Example rule allowing access from your local networks. -# Adapt to list your (internal) IP networks from where browsing -# should be allowed -acl localnet src 10.0.0.0/8 # RFC1918 possible internal network -acl localnet src 172.16.0.0/12 # RFC1918 possible internal network -acl localnet src 192.168.0.0/16 # RFC1918 possible internal network -@IPV6_ONLY_SETTING@acl localnet src fc00::/7 # RFC 4193 local private network range -@IPV6_ONLY_SETTING@acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines - -acl SSL_ports port 443 -acl Safe_ports port 80 # http -acl Safe_ports port 21 # ftp -acl Safe_ports port 443 # https -acl Safe_ports port 70 # gopher -acl Safe_ports port 210 # wais -acl Safe_ports port 1025-65535 # unregistered ports -acl Safe_ports port 280 # http-mgmt -acl Safe_ports port 488 # gss-http -acl Safe_ports port 591 # filemaker -acl Safe_ports port 777 # multiling http -acl CONNECT method CONNECT -NOCOMMENT_END -DOC_END - -NAME: follow_x_forwarded_for -TYPE: acl_access -IFDEF: FOLLOW_X_FORWARDED_FOR -LOC: Config.accessList.followXFF -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - Allowing or Denying the X-Forwarded-For header to be followed to - find the original source of a request. - - Requests may pass through a chain of several other proxies - before reaching us. The X-Forwarded-For header will contain a - comma-separated list of the IP addresses in the chain, with the - rightmost address being the most recent. - - If a request reaches us from a source that is allowed by this - configuration item, then we consult the X-Forwarded-For header - to see where that host received the request from. If the - X-Forwarded-For header contains multiple addresses, and if - acl_uses_indirect_client is on, then we continue backtracking - until we reach an address for which we are not allowed to - follow the X-Forwarded-For header, or until we reach the first - address in the list. (If acl_uses_indirect_client is off, then - it's impossible to backtrack through more than one level of - X-Forwarded-For addresses.) - - The end result of this process is an IP address that we will - refer to as the indirect client address. This address may - be treated as the client address for access control, ICAP, delay - pools and logging, depending on the acl_uses_indirect_client, - icap_uses_indirect_client, delay_pool_uses_indirect_client and - log_uses_indirect_client options. - - This clause only supports fast acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. - - SECURITY CONSIDERATIONS: - - Any host for which we follow the X-Forwarded-For header - can place incorrect information in the header, and Squid - will use the incorrect information as if it were the - source address of the request. This may enable remote - hosts to bypass any access control restrictions that are - based on the client's source addresses. - - For example: - - acl localhost src 127.0.0.1 - acl my_other_proxy srcdomain .proxy.example.com - follow_x_forwarded_for allow localhost - follow_x_forwarded_for allow my_other_proxy -DOC_END - -NAME: acl_uses_indirect_client -COMMENT: on|off -TYPE: onoff -IFDEF: FOLLOW_X_FORWARDED_FOR -DEFAULT: on -LOC: Config.onoff.acl_uses_indirect_client -DOC_START - Controls whether the indirect client address - (see follow_x_forwarded_for) is used instead of the - direct client address in acl matching. -DOC_END - -NAME: delay_pool_uses_indirect_client -COMMENT: on|off -TYPE: onoff -IFDEF: FOLLOW_X_FORWARDED_FOR&&DELAY_POOLS -DEFAULT: on -LOC: Config.onoff.delay_pool_uses_indirect_client -DOC_START - Controls whether the indirect client address - (see follow_x_forwarded_for) is used instead of the - direct client address in delay pools. -DOC_END - -NAME: log_uses_indirect_client -COMMENT: on|off -TYPE: onoff -IFDEF: FOLLOW_X_FORWARDED_FOR -DEFAULT: on -LOC: Config.onoff.log_uses_indirect_client -DOC_START - Controls whether the indirect client address - (see follow_x_forwarded_for) is used instead of the - direct client address in the access log. -DOC_END - -NAME: http_access -TYPE: acl_access -LOC: Config.accessList.http -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - Allowing or Denying access based on defined access lists - - Access to the HTTP port: - http_access allow|deny [!]aclname ... - - NOTE on default values: - - If there are no "access" lines present, the default is to deny - the request. - - If none of the "access" lines cause a match, the default is the - opposite of the last line in the list. If the last line was - deny, the default is allow. Conversely, if the last line - is allow, the default will be deny. For these reasons, it is a - good idea to have an "deny all" entry at the end of your access - lists to avoid potential confusion. - - This clause supports both fast and slow acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. - -NOCOMMENT_START - -# -# Recommended minimum Access Permission configuration: -# -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager - -# Deny requests to certain unsafe ports -http_access deny !Safe_ports - -# Deny CONNECT to other than secure SSL ports -http_access deny CONNECT !SSL_ports - -# We strongly recommend the following be uncommented to protect innocent -# web applications running on the proxy server who think the only -# one who can access services on "localhost" is a local user -#http_access deny to_localhost - -# -# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS -# - -# Example rule allowing access from your local networks. -# Adapt localnet in the ACL section to list your (internal) IP networks -# from where browsing should be allowed -http_access allow localnet -http_access allow localhost - -# And finally deny all other access to this proxy -http_access deny all -NOCOMMENT_END -DOC_END - -NAME: adapted_http_access http_access2 -TYPE: acl_access -LOC: Config.accessList.adapted_http -DEFAULT: none -DOC_START - Allowing or Denying access based on defined access lists - - Essentially identical to http_access, but runs after redirectors - and ICAP/eCAP adaptation. Allowing access control based on their - output. - - If not set then only http_access is used. -DOC_END - -NAME: http_reply_access -TYPE: acl_access -LOC: Config.accessList.reply -DEFAULT: none -DOC_START - Allow replies to client requests. This is complementary to http_access. - - http_reply_access allow|deny [!] aclname ... - - NOTE: if there are no access lines present, the default is to allow - all replies - - If none of the access lines cause a match the opposite of the - last line will apply. Thus it is good practice to end the rules - with an "allow all" or "deny all" entry. - - This clause supports both fast and slow acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -DOC_END - -NAME: icp_access -TYPE: acl_access -LOC: Config.accessList.icp -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - Allowing or Denying access to the ICP port based on defined - access lists - - icp_access allow|deny [!]aclname ... - - See http_access for details - - This clause only supports fast acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. - -# Allow ICP queries from local networks only -#icp_access allow localnet -#icp_access deny all -DOC_END - -NAME: htcp_access -IFDEF: USE_HTCP -TYPE: acl_access -LOC: Config.accessList.htcp -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - Allowing or Denying access to the HTCP port based on defined - access lists - - htcp_access allow|deny [!]aclname ... - - See http_access for details - - NOTE: The default if no htcp_access lines are present is to - deny all traffic. This default may cause problems with peers - using the htcp or htcp-oldsquid options. - - This clause only supports fast acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. - -# Allow HTCP queries from local networks only -#htcp_access allow localnet -#htcp_access deny all -DOC_END - -NAME: htcp_clr_access -IFDEF: USE_HTCP -TYPE: acl_access -LOC: Config.accessList.htcp_clr -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - Allowing or Denying access to purge content using HTCP based - on defined access lists - - htcp_clr_access allow|deny [!]aclname ... - - See http_access for details - - This clause only supports fast acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. - -# Allow HTCP CLR requests from trusted peers -acl htcp_clr_peer src 172.16.1.2 -htcp_clr_access allow htcp_clr_peer -DOC_END - -NAME: miss_access -TYPE: acl_access -LOC: Config.accessList.miss -DEFAULT: allow all -DOC_START - Use to force your neighbors to use you as a sibling instead of - a parent. For example: - - acl localclients src 172.16.0.0/16 - miss_access allow localclients - miss_access deny !localclients - - This means only your local clients are allowed to fetch - MISSES and all other clients can only fetch HITS. - - By default, allow all clients who passed the http_access rules - to fetch MISSES from us. - - This clause only supports fast acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -DOC_END - -NAME: ident_lookup_access -TYPE: acl_access -IFDEF: USE_IDENT -DEFAULT: none -DEFAULT_IF_NONE: deny all -LOC: Ident::TheConfig.identLookup -DOC_START - A list of ACL elements which, if matched, cause an ident - (RFC 931) lookup to be performed for this request. For - example, you might choose to always perform ident lookups - for your main multi-user Unix boxes, but not for your Macs - and PCs. By default, ident lookups are not performed for - any requests. - - To enable ident lookups for specific client addresses, you - can follow this example: - - acl ident_aware_hosts src 198.168.1.0/24 - ident_lookup_access allow ident_aware_hosts - ident_lookup_access deny all - - Only src type ACL checks are fully supported. A srcdomain - ACL might work at times, but it will not always provide - the correct result. - - This clause only supports fast acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -DOC_END - -NAME: reply_body_max_size -COMMENT: size [acl acl...] -TYPE: acl_b_size_t -DEFAULT: none -LOC: Config.ReplyBodySize -DOC_START - This option specifies the maximum size of a reply body. It can be - used to prevent users from downloading very large files, such as - MP3's and movies. When the reply headers are received, the - reply_body_max_size lines are processed, and the first line where - all (if any) listed ACLs are true is used as the maximum body size - for this reply. - - This size is checked twice. First when we get the reply headers, - we check the content-length value. If the content length value exists - and is larger than the allowed size, the request is denied and the - user receives an error message that says "the request or reply - is too large." If there is no content-length, and the reply - size exceeds this limit, the client's connection is just closed - and they will receive a partial reply. - - WARNING: downstream caches probably can not detect a partial reply - if there is no content-length header, so they will cache - partial responses and give them out as hits. You should NOT - use this option if you have downstream caches. - - WARNING: A maximum size smaller than the size of squid's error messages - will cause an infinite loop and crash squid. Ensure that the smallest - non-zero value you use is greater that the maximum header size plus - the size of your largest error page. - - If you set this parameter none (the default), there will be - no limit imposed. - - Configuration Format is: - reply_body_max_size SIZE UNITS [acl ...] - ie. - reply_body_max_size 10 MB - -DOC_END - -COMMENT_START - NETWORK OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: http_port ascii_port -TYPE: http_port_list -DEFAULT: none -LOC: Config.Sockaddr.http -DOC_START - Usage: port [mode] [options] - hostname:port [mode] [options] - 1.2.3.4:port [mode] [options] - - The socket addresses where Squid will listen for HTTP client - requests. You may specify multiple socket addresses. - There are three forms: port alone, hostname with port, and - IP address with port. If you specify a hostname or IP - address, Squid binds the socket to that specific - address. Most likely, you do not need to bind to a specific - address, so you can use the port number alone. - - If you are running Squid in accelerator mode, you - probably want to listen on port 80 also, or instead. - - The -a command line option may be used to specify additional - port(s) where Squid listens for proxy request. Such ports will - be plain proxy ports with no options. - - You may specify multiple socket addresses on multiple lines. - - Modes: - - intercept Support for IP-Layer interception of - outgoing requests without browser settings. - NP: disables authentication and IPv6 on the port. - - tproxy Support Linux TPROXY for spoofing outgoing - connections using the client IP address. - NP: disables authentication and maybe IPv6 on the port. - - accel Accelerator mode. Also needs at least one of - vhost / vport / defaultsite. - - sslbump Intercept each CONNECT request matching ssl_bump ACL, - establish secure connection with the client and with - the server, decrypt HTTP messages as they pass through - Squid, and treat them as unencrypted HTTP messages, - becoming the man-in-the-middle. - - The ssl_bump option is required to fully enable - the SslBump feature. - - Omitting the mode flag causes default forward proxy mode to be used. - - - Accelerator Mode Options: - - allow-direct Allow direct forwarding in accelerator mode. Normally - accelerated requests are denied direct forwarding as if - never_direct was used. - - defaultsite=domainname - What to use for the Host: header if it is not present - in a request. Determines what site (not origin server) - accelerators should consider the default. - Implies accel. - - vhost Using the Host header for virtual domain support. - Also uses the port as specified in Host: header. - - vport IP based virtual host support. Using the http_port number - in passed on Host: headers. - - vport=NN Uses the specified port number rather than the - http_port number. - - protocol= Protocol to reconstruct accelerated requests with. - Defaults to http://. - - ignore-cc Ignore request Cache-Control headers. - - Warning: This option violates HTTP specifications if - used in non-accelerator setups. - - - SSL Bump Mode Options: - - cert= Path to SSL certificate (PEM format). - - key= Path to SSL private key file (PEM format) - if not specified, the certificate file is - assumed to be a combined certificate and - key file. - - version= The version of SSL/TLS supported - 1 automatic (default) - 2 SSLv2 only - 3 SSLv3 only - 4 TLSv1 only - - cipher= Colon separated list of supported ciphers. - - options= Various SSL engine options. The most important - being: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - SINGLE_DH_USE Always create a new key when using - temporary/ephemeral DH key exchanges - See src/ssl_support.c or OpenSSL SSL_CTX_set_options - documentation for a complete list of options. - - clientca= File containing the list of CAs to use when - requesting a client certificate. - - cafile= File containing additional CA certificates to - use when verifying client certificates. If unset - clientca will be used. - - capath= Directory containing additional CA certificates - and CRL lists to use when verifying client certificates. - - crlfile= File of additional CRL lists to use when verifying - the client certificate, in addition to CRLs stored in - the capath. Implies VERIFY_CRL flag below. - - dhparams= File containing DH parameters for temporary/ephemeral - DH key exchanges. - - sslflags= Various flags modifying the use of SSL: - DELAYED_AUTH - Don't request client certificates - immediately, but wait until acl processing - requires a certificate (not yet implemented). - NO_DEFAULT_CA - Don't use the default CA lists built in - to OpenSSL. - NO_SESSION_REUSE - Don't allow for session reuse. Each connection - will result in a new SSL session. - VERIFY_CRL - Verify CRL lists when accepting client - certificates. - VERIFY_CRL_ALL - Verify CRL lists for all certificates in the - client certificate chain. - - sslcontext= SSL session ID context identifier. - - - Other Options: - - connection-auth[=on|off] - use connection-auth=off to tell Squid to prevent - forwarding Microsoft connection oriented authentication - (NTLM, Negotiate and Kerberos) - - disable-pmtu-discovery= - Control Path-MTU discovery usage: - off lets OS decide on what to do (default). - transparent disable PMTU discovery when transparent - support is enabled. - always disable always PMTU discovery. - - In many setups of transparently intercepting proxies - Path-MTU discovery can not work on traffic towards the - clients. This is the case when the intercepting device - does not fully track connections and fails to forward - ICMP must fragment messages to the cache server. If you - have such setup and experience that certain clients - sporadically hang or never complete requests set - disable-pmtu-discovery option to 'transparent'. - - name= Specifies a internal name for the port. Defaults to - the port specification (port or addr:port) - - tcpkeepalive[=idle,interval,timeout] - Enable TCP keepalive probes of idle connections - idle is the initial time before TCP starts probing - the connection, interval how often to probe, and - timeout the time before giving up. - - If you run Squid on a dual-homed machine with an internal - and an external interface we recommend you to specify the - internal address:port in http_port. This way Squid will only be - visible on the internal address. - -NOCOMMENT_START - -# Squid normally listens to port 3128 -http_port @DEFAULT_HTTP_PORT@ -NOCOMMENT_END -DOC_END - -NAME: https_port -IFDEF: USE_SSL -TYPE: https_port_list -DEFAULT: none -LOC: Config.Sockaddr.https -DOC_START - Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] - - The socket address where Squid will listen for HTTPS client - requests. - - This is really only useful for situations where you are running - squid in accelerator mode and you want to do the SSL work at the - accelerator level. - - You may specify multiple socket addresses on multiple lines, - each with their own SSL certificate and/or options. - - Options: - - accel Accelerator mode. Also needs at least one of - defaultsite or vhost. - - defaultsite= The name of the https site presented on - this port. Implies accel. - - vhost Accelerator mode using Host header for virtual - domain support. Requires a wildcard certificate - or other certificate valid for more than one domain. - Implies accel. - - protocol= Protocol to reconstruct accelerated requests with. - Defaults to https. - - cert= Path to SSL certificate (PEM format). - - key= Path to SSL private key file (PEM format) - if not specified, the certificate file is - assumed to be a combined certificate and - key file. - - version= The version of SSL/TLS supported - 1 automatic (default) - 2 SSLv2 only - 3 SSLv3 only - 4 TLSv1 only - - cipher= Colon separated list of supported ciphers. - - options= Various SSL engine options. The most important - being: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - SINGLE_DH_USE Always create a new key when using - temporary/ephemeral DH key exchanges - See src/ssl_support.c or OpenSSL SSL_CTX_set_options - documentation for a complete list of options. - - clientca= File containing the list of CAs to use when - requesting a client certificate. - - cafile= File containing additional CA certificates to - use when verifying client certificates. If unset - clientca will be used. - - capath= Directory containing additional CA certificates - and CRL lists to use when verifying client certificates. - - crlfile= File of additional CRL lists to use when verifying - the client certificate, in addition to CRLs stored in - the capath. Implies VERIFY_CRL flag below. - - dhparams= File containing DH parameters for temporary/ephemeral - DH key exchanges. - - sslflags= Various flags modifying the use of SSL: - DELAYED_AUTH - Don't request client certificates - immediately, but wait until acl processing - requires a certificate (not yet implemented). - NO_DEFAULT_CA - Don't use the default CA lists built in - to OpenSSL. - NO_SESSION_REUSE - Don't allow for session reuse. Each connection - will result in a new SSL session. - VERIFY_CRL - Verify CRL lists when accepting client - certificates. - VERIFY_CRL_ALL - Verify CRL lists for all certificates in the - client certificate chain. - - sslcontext= SSL session ID context identifier. - - vport Accelerator with IP based virtual host support. - - vport=NN As above, but uses specified port number rather - than the https_port number. Implies accel. - - name= Specifies a internal name for the port. Defaults to - the port specification (port or addr:port) - -DOC_END - -NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp -TYPE: acl_tos -DEFAULT: none -LOC: Config.accessList.outgoing_tos -DOC_START - Allows you to select a TOS/Diffserv value to mark outgoing - connections with, based on the username or source address - making the request. - - tcp_outgoing_tos ds-field [!]aclname ... - - Example where normal_service_net uses the TOS value 0x00 - and good_service_net uses 0x20 - - acl normal_service_net src 10.0.0.0/255.255.255.0 - acl good_service_net src 10.0.1.0/255.255.255.0 - tcp_outgoing_tos 0x00 normal_service_net - tcp_outgoing_tos 0x20 good_service_net - - TOS/DSCP values really only have local significance - so you should - know what you're specifying. For more information, see RFC2474, - RFC2475, and RFC3260. - - The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or - "default" to use whatever default your host has. Note that in - practice often only values 0 - 63 is usable as the two highest bits - have been redefined for use by ECN (RFC3168). - - Processing proceeds in the order specified, and stops at first fully - matching line. - - Note: The use of this directive using client dependent ACLs is - incompatible with the use of server side persistent connections. To - ensure correct results it is best to set server_persisten_connections - to off when using this directive in such configurations. -DOC_END - -NAME: clientside_tos -TYPE: acl_tos -DEFAULT: none -LOC: Config.accessList.clientside_tos -DOC_START - Allows you to select a TOS/Diffserv value to mark client-side - connections with, based on the username or source address - making the request. -DOC_END - -NAME: qos_flows -TYPE: QosConfig -IFDEF: USE_ZPH_QOS -DEFAULT: none -LOC: Ip::Qos::TheConfig -DOC_START - Allows you to select a TOS/DSCP value to mark outgoing - connections with, based on where the reply was sourced. - - TOS values really only have local significance - so you should - know what you're specifying. For more information, see RFC2474, - RFC2475, and RFC3260. - - The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. - Note that in practice often only values up to 0x3F are usable - as the two highest bits have been redefined for use by ECN - (RFC3168). - - This setting is configured by setting the source TOS values: - - local-hit=0xFF Value to mark local cache hits. - - sibling-hit=0xFF Value to mark hits from sibling peers. - - parent-hit=0xFF Value to mark hits from parent peers. - - - NOTE: 'miss' preserve feature is only possible on Linux at this time. - - For the following to work correctly, you will need to patch your - linux kernel with the TOS preserving ZPH patch. - The kernel patch can be downloaded from http://zph.bratcheda.org - - disable-preserve-miss - If set, any HTTP response towards clients will - have the TOS value of the response comming from the - remote server masked with the value of miss-mask. - - miss-mask=0xFF - Allows you to mask certain bits in the TOS received from the - remote server, before copying the value to the TOS sent - towards clients. - Default: 0xFF (TOS from server is not changed). - -DOC_END - -NAME: tcp_outgoing_address -TYPE: acl_address -DEFAULT: none -LOC: Config.accessList.outgoing_address -DOC_START - Allows you to map requests to different outgoing IP addresses - based on the username or source address of the user making - the request. - - tcp_outgoing_address ipaddr [[!]aclname] ... - - Example where requests from 10.0.0.0/24 will be forwarded - with source address 10.1.0.1, 10.0.2.0/24 forwarded with - source address 10.1.0.2 and the rest will be forwarded with - source address 10.1.0.3. - - acl normal_service_net src 10.0.0.0/24 - acl good_service_net src 10.0.2.0/24 - tcp_outgoing_address 10.1.0.1 normal_service_net - tcp_outgoing_address 10.1.0.2 good_service_net - tcp_outgoing_address 10.1.0.3 - - Processing proceeds in the order specified, and stops at first fully - matching line. - - Note: The use of this directive using client dependent ACLs is - incompatible with the use of server side persistent connections. To - ensure correct results it is best to set server_persistent_connections - to off when using this directive in such configurations. - - Note: The use of this directive to set a local IP on outgoing TCP links - is incompatible with using TPROXY to set client IP out outbound TCP links. - When needing to contact peers use the no-tproxy cache_peer option to - re-enable normal forwarding such as this. - - IPv6 Magic: - - Squid is built with a capability of bridging the IPv4 and IPv6 - internets. - tcp_outgoing_address as exampled above breaks this bridging by forcing - all outbound traffic through a certain IPv4 which may be on the wrong - side of the IPv4/IPv6 boundary. - - To operate with tcp_outgoing_address and keep the bridging benefits - an additional ACL needs to be used which ensures the IPv6-bound traffic - is never forced or permitted out the IPv4 interface. - - acl to_ipv6 dst ipv6 - tcp_outgoing_address 2002::c001 good_service_net to_ipv6 - tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 - - tcp_outgoing_address 2002::beef normal_service_net to_ipv6 - tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 - - tcp_outgoing_address 2002::1 to_ipv6 - tcp_outgoing_address 10.1.0.3 !to_ipv6 - - WARNING: - 'dst ipv6' bases its selection assuming DIRECT access. - If peers are used the peername ACL are needed to select outgoing - address which can link to the peer. - - 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used - previously in the http_access rules to locate the destination IP. - Some more magic may be needed for that: - http_access allow to_ipv6 !all - (meaning, allow if to IPv6 but not from anywhere ;) - -DOC_END - -COMMENT_START - SSL OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: ssl_unclean_shutdown -IFDEF: USE_SSL -TYPE: onoff -DEFAULT: off -LOC: Config.SSL.unclean_shutdown -DOC_START - Some browsers (especially MSIE) bugs out on SSL shutdown - messages. -DOC_END - -NAME: ssl_engine -IFDEF: USE_SSL -TYPE: string -LOC: Config.SSL.ssl_engine -DEFAULT: none -DOC_START - The OpenSSL engine to use. You will need to set this if you - would like to use hardware SSL acceleration for example. -DOC_END - -NAME: sslproxy_client_certificate -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.cert -TYPE: string -DOC_START - Client SSL Certificate to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_client_key -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.key -TYPE: string -DOC_START - Client SSL Key to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_version -IFDEF: USE_SSL -DEFAULT: 1 -LOC: Config.ssl_client.version -TYPE: int -DOC_START - SSL version level to use when proxying https:// URLs -DOC_END - -NAME: sslproxy_options -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.options -TYPE: string -DOC_START - SSL engine options to use when proxying https:// URLs - - The most important being: - - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - SINGLE_DH_USE - Always create a new key when using - temporary/ephemeral DH key exchanges - - These options vary depending on your SSL engine. - See the OpenSSL SSL_CTX_set_options documentation for a - complete list of possible options. -DOC_END - -NAME: sslproxy_cipher -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.cipher -TYPE: string -DOC_START - SSL cipher list to use when proxying https:// URLs - - Colon separated list of supported ciphers. -DOC_END - -NAME: sslproxy_cafile -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.cafile -TYPE: string -DOC_START - file containing CA certificates to use when verifying server - certificates while proxying https:// URLs -DOC_END - -NAME: sslproxy_capath -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.capath -TYPE: string -DOC_START - directory containing CA certificates to use when verifying - server certificates while proxying https:// URLs -DOC_END - -NAME: ssl_bump -IFDEF: USE_SSL -TYPE: acl_access -LOC: Config.accessList.ssl_bump -DEFAULT: none -DOC_START - This ACL controls which CONNECT requests to an http_port - marked with an sslBump flag are actually "bumped". Please - see the sslBump flag of an http_port option for more details - about decoding proxied SSL connections. - - By default, no requests are bumped. - - See also: http_port sslBump - - This clause only supports fast acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. - - - # Example: Bump all requests except those originating from localhost and - # those going to webax.com or example.com sites. - - acl localhost src 127.0.0.1/32 - acl broken_sites dstdomain .webax.com - acl broken_sites dstdomain .example.com - ssl_bump deny localhost - ssl_bump deny broken_sites - ssl_bump allow all -DOC_END - -NAME: sslproxy_flags -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.flags -TYPE: string -DOC_START - Various flags modifying the use of SSL while proxying https:// URLs: - DONT_VERIFY_PEER Accept certificates that fail verification. - For refined control, see sslproxy_cert_error. - NO_DEFAULT_CA Don't use the default CA list built in - to OpenSSL. -DOC_END - - -NAME: sslproxy_cert_error -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.ssl_client.cert_error -TYPE: acl_access -DOC_START - Use this ACL to bypass server certificate validation errors. - - For example, the following lines will bypass all validation errors - when talking to servers located at 172.16.0.0/16. All other - validation errors will result in ERR_SECURE_CONNECT_FAIL error. - - acl BrokenServersAtTrustedIP dst 172.16.0.0/16 - sslproxy_cert_error allow BrokenServersAtTrustedIP - sslproxy_cert_error deny all - - This clause only supports fast acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. - Using slow acl types may result in server crashes - - Without this option, all server certificate validation errors - terminate the transaction. Bypassing validation errors is dangerous - because an error usually implies that the server cannot be trusted and - the connection may be insecure. - - See also: sslproxy_flags and DONT_VERIFY_PEER. - - Default setting: sslproxy_cert_error deny all -DOC_END - - - -NAME: sslpassword_program -IFDEF: USE_SSL -DEFAULT: none -LOC: Config.Program.ssl_password -TYPE: string -DOC_START - Specify a program used for entering SSL key passphrases - when using encrypted SSL certificate keys. If not specified - keys must either be unencrypted, or Squid started with the -N - option to allow it to query interactively for the passphrase. -DOC_END - -COMMENT_START - OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: cache_peer -TYPE: peer -DEFAULT: none -LOC: Config.peers -DOC_START - To specify other caches in a hierarchy, use the format: - - cache_peer hostname type http-port icp-port [options] - - For example, - - # proxy icp - # hostname type port port options - # -------------------- -------- ----- ----- ----------- - cache_peer parent.foo.net parent 3128 3130 default - cache_peer sib1.foo.net sibling 3128 3130 proxy-only - cache_peer sib2.foo.net sibling 3128 3130 proxy-only - cache_peer example.com parent 80 0 no-query default - cache_peer cdn.example.com sibling 3128 0 - - type: either 'parent', 'sibling', or 'multicast'. - - proxy-port: The port number where the peer accept HTTP requests. - For other Squid proxies this is usually 3128 - For web servers this is usually 80 - - icp-port: Used for querying neighbor caches about objects. - Set to 0 if the peer does not support ICP or HTCP. - See ICP and HTCP options below for additional details. - - - ==== ICP OPTIONS ==== - - You MUST also set icp_port and icp_access explicitly when using these options. - The defaults will prevent peer traffic using ICP. - - - no-query Disable ICP queries to this neighbor. - - multicast-responder - Indicates the named peer is a member of a multicast group. - ICP queries will not be sent directly to the peer, but ICP - replies will be accepted from it. - - closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward - CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. - - background-ping - To only send ICP queries to this neighbor infrequently. - This is used to keep the neighbor round trip time updated - and is usually used in conjunction with weighted-round-robin. - - - ==== HTCP OPTIONS ==== - - You MUST also set htcp_port and htcp_access explicitly when using these options. - The defaults will prevent peer traffic using HTCP. - - - htcp Send HTCP, instead of ICP, queries to the neighbor. - You probably also want to set the "icp-port" to 4827 - instead of 3130. - - htcp-oldsquid Send HTCP to old Squid versions. - - htcp-no-clr Send HTCP to the neighbor but without - sending any CLR requests. This cannot be used with - htcp-only-clr. - - htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. - This cannot be used with htcp-no-clr. - - htcp-no-purge-clr - Send HTCP to the neighbor including CLRs but only when - they do not result from PURGE requests. - - htcp-forward-clr - Forward any HTCP CLR requests this proxy receives to the peer. - - - ==== PEER SELECTION METHODS ==== - - The default peer selection method is ICP, with the first responding peer - being used as source. These options can be used for better load balancing. - - - default This is a parent cache which can be used as a "last-resort" - if a peer cannot be located by any of the peer-selection methods. - If specified more than once, only the first is used. - - round-robin Load-Balance parents which should be used in a round-robin - fashion in the absence of any ICP queries. - weight=N can be used to add bias. - - weighted-round-robin - Load-Balance parents which should be used in a round-robin - fashion with the frequency of each parent being based on the - round trip time. Closer parents are used more often. - Usually used for background-ping parents. - weight=N can be used to add bias. - - carp Load-Balance parents which should be used as a CARP array. - The requests will be distributed among the parents based on the - CARP load balancing hash function based on their weight. - - userhash Load-balance parents based on the client proxy_auth or ident username. - - sourcehash Load-balance parents based on the client source IP. - - multicast-siblings - To be used only for cache peers of type "multicast". - ALL members of this multicast group have "sibling" - relationship with it, not "parent". This is to a mulicast - group when the requested object would be fetched only from - a "parent" cache, anyway. It's useful, e.g., when - configuring a pool of redundant Squid proxies, being - members of the same multicast group. - - - ==== PEER SELECTION OPTIONS ==== - - weight=N use to affect the selection of a peer during any weighted - peer-selection mechanisms. - The weight must be an integer; default is 1, - larger weights are favored more. - This option does not affect parent selection if a peering - protocol is not in use. - - basetime=N Specify a base amount to be subtracted from round trip - times of parents. - It is subtracted before division by weight in calculating - which parent to fectch from. If the rtt is less than the - base time the rtt is set to a minimal value. - - ttl=N Specify a IP multicast TTL to use when sending an ICP - queries to this address. - Only useful when sending to a multicast group. - Because we don't accept ICP replies from random - hosts, you must configure other group members as - peers with the 'multicast-responder' option. - - no-delay To prevent access to this neighbor from influencing the - delay pools. - - digest-url=URL Tell Squid to fetch the cache digest (if digests are - enabled) for this host from the specified URL rather - than the Squid default location. - - - ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== - - originserver Causes this parent to be contacted as an origin server. - Meant to be used in accelerator setups when the peer - is a web server. - - forceddomain=name - Set the Host header of requests forwarded to this peer. - Useful in accelerator setups where the server (peer) - expects a certain domain name but clients may request - others. ie example.com or www.example.com - - no-digest Disable request of cache digests. - - no-netdb-exchange - Disables requesting ICMP RTT database (NetDB). - - - ==== AUTHENTICATION OPTIONS ==== - - login=user:password - If this is a personal/workgroup proxy and your parent - requires proxy authentication. - - Note: The string can include URL escapes (i.e. %20 for - spaces). This also means % must be written as %%. - - login=PASSTHRU - Send login details received from client to this peer. - Both Proxy- and WWW-Authorization headers are passed - without alteration to the peer. - Authentication is not required by Squid for this to work. - - Note: This will pass any form of authentication but - only Basic auth will work through a proxy unless the - connection-auth options are also used. - - login=PASS Send login details received from client to this peer. - Authentication is not required by this option. - - If there are no client-provided authentication headers - to pass on, but username and password are available - from an external ACL user= and password= result tags - they may be sent instead. - - Note: To combine this with proxy_auth both proxies must - share the same user database as HTTP only allows for - a single login (one for proxy, one for origin server). - Also be warned this will expose your users proxy - password to the peer. USE WITH CAUTION - - login=*:password - Send the username to the upstream cache, but with a - fixed password. This is meant to be used when the peer - is in another administrative domain, but it is still - needed to identify each user. - The star can optionally be followed by some extra - information which is added to the username. This can - be used to identify this proxy to the peer, similar to - the login=username:password option above. - - login=NEGOTIATE - If this is a personal/workgroup proxy and your parent - requires a secure proxy authentication. - The first principal from the default keytab or defined by - the environment variable KRB5_KTNAME will be used. - - login=NEGOTIATE:principal_name - If this is a personal/workgroup proxy and your parent - requires a secure proxy authentication. - The principal principal_name from the default keytab or - defined by the environment variable KRB5_KTNAME will be - used. - - connection-auth=on|off - Tell Squid that this peer does or not support Microsoft - connection oriented authentication, and any such - challenges received from there should be ignored. - Default is auto to automatically determine the status - of the peer. - - - ==== SSL / HTTPS / TLS OPTIONS ==== - - ssl Encrypt connections to this peer with SSL/TLS. - - sslcert=/path/to/ssl/certificate - A client SSL certificate to use when connecting to - this peer. - - sslkey=/path/to/ssl/key - The private SSL key corresponding to sslcert above. - If 'sslkey' is not specified 'sslcert' is assumed to - reference a combined file containing both the - certificate and the key. - - sslversion=1|2|3|4 - The SSL version to use when connecting to this peer - 1 = automatic (default) - 2 = SSL v2 only - 3 = SSL v3 only - 4 = TLS v1 only - - sslcipher=... The list of valid SSL ciphers to use when connecting - to this peer. - - ssloptions=... Specify various SSL engine options: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - See src/ssl_support.c or the OpenSSL documentation for - a more complete list. - - sslcafile=... A file containing additional CA certificates to use - when verifying the peer certificate. - - sslcapath=... A directory containing additional CA certificates to - use when verifying the peer certificate. - - sslcrlfile=... A certificate revocation list file to use when - verifying the peer certificate. - - sslflags=... Specify various flags modifying the SSL implementation: - - DONT_VERIFY_PEER - Accept certificates even if they fail to - verify. - NO_DEFAULT_CA - Don't use the default CA list built in - to OpenSSL. - DONT_VERIFY_DOMAIN - Don't verify the peer certificate - matches the server name - - ssldomain= The peer name as advertised in it's certificate. - Used for verifying the correctness of the received peer - certificate. If not specified the peer hostname will be - used. - - front-end-https - Enable the "Front-End-Https: On" header needed when - using Squid as a SSL frontend in front of Microsoft OWA. - See MS KB document Q307347 for details on this header. - If set to auto the header will only be added if the - request is forwarded as a https:// URL. - - - ==== GENERAL OPTIONS ==== - - connect-timeout=N - A peer-specific connect timeout. - Also see the peer_connect_timeout directive. - - connect-fail-limit=N - How many times connecting to a peer must fail before - it is marked as down. Default is 10. - - allow-miss Disable Squid's use of only-if-cached when forwarding - requests to siblings. This is primarily useful when - icp_hit_stale is used by the sibling. To extensive use - of this option may result in forwarding loops, and you - should avoid having two-way peerings with this option. - For example to deny peer usage on requests from peer - by denying cache_peer_access if the source is a peer. - - max-conn=N Limit the amount of connections Squid may open to this - peer. see also - - name=xxx Unique name for the peer. - Required if you have multiple peers on the same host - but different ports. - This name can be used in cache_peer_access and similar - directives to dentify the peer. - Can be used by outgoing access controls through the - peername ACL type. - - no-tproxy Do not use the client-spoof TPROXY support when forwarding - requests to this peer. Use normal address selection instead. - - proxy-only objects fetched from the peer will not be stored locally. - -DOC_END - -NAME: cache_peer_domain cache_host_domain -TYPE: hostdomain -DEFAULT: none -LOC: none -DOC_START - Use to limit the domains for which a neighbor cache will be - queried. Usage: - - cache_peer_domain cache-host domain [domain ...] - cache_peer_domain cache-host !domain - - For example, specifying - - cache_peer_domain parent.foo.net .edu - - has the effect such that UDP query packets are sent to - 'bigserver' only when the requested object exists on a - server in the .edu domain. Prefixing the domainname - with '!' means the cache will be queried for objects - NOT in that domain. - - NOTE: * Any number of domains may be given for a cache-host, - either on the same or separate lines. - * When multiple domains are given for a particular - cache-host, the first matched domain is applied. - * Cache hosts with no domain restrictions are queried - for all requests. - * There are no defaults. - * There is also a 'cache_peer_access' tag in the ACL - section. -DOC_END - -NAME: cache_peer_access -TYPE: peer_access -DEFAULT: none -LOC: none -DOC_START - Similar to 'cache_peer_domain' but provides more flexibility by - using ACL elements. - - cache_peer_access cache-host allow|deny [!]aclname ... - - The syntax is identical to 'http_access' and the other lists of - ACL elements. See the comments for 'http_access' below, or - the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). -DOC_END - -NAME: neighbor_type_domain -TYPE: hostdomaintype -DEFAULT: none -LOC: none -DOC_START - usage: neighbor_type_domain neighbor parent|sibling domain domain ... - - Modifying the neighbor type for specific domains is now - possible. You can treat some domains differently than the - default neighbor type specified on the 'cache_peer' line. - Normally it should only be necessary to list domains which - should be treated differently because the default neighbor type - applies for hostnames which do not match domains listed here. - -EXAMPLE: - cache_peer cache.foo.org parent 3128 3130 - neighbor_type_domain cache.foo.org sibling .com .net - neighbor_type_domain cache.foo.org sibling .au .de -DOC_END - -NAME: dead_peer_timeout -COMMENT: (seconds) -DEFAULT: 10 seconds -TYPE: time_t -LOC: Config.Timeout.deadPeer -DOC_START - This controls how long Squid waits to declare a peer cache - as "dead." If there are no ICP replies received in this - amount of time, Squid will declare the peer dead and not - expect to receive any further ICP replies. However, it - continues to send ICP queries, and will mark the peer as - alive upon receipt of the first subsequent ICP reply. - - This timeout also affects when Squid expects to receive ICP - replies from peers. If more than 'dead_peer' seconds have - passed since the last ICP reply was received, Squid will not - expect to receive an ICP reply on the next query. Thus, if - your time between requests is greater than this timeout, you - will see a lot of requests sent DIRECT to origin servers - instead of to your parents. -DOC_END - -NAME: forward_max_tries -DEFAULT: 10 -TYPE: int -LOC: Config.forward_max_tries -DOC_START - Controls how many different forward paths Squid will try - before giving up. See also forward_timeout. -DOC_END - -NAME: hierarchy_stoplist -TYPE: wordlist -DEFAULT: none -LOC: Config.hierarchy_stoplist -DOC_START - A list of words which, if found in a URL, cause the object to - be handled directly by this cache. In other words, use this - to not query neighbor caches for certain objects. You may - list this option multiple times. - Note: never_direct overrides this option. -NOCOMMENT_START - -# We recommend you to use at least the following line. -hierarchy_stoplist cgi-bin ? -NOCOMMENT_END -DOC_END - -COMMENT_START - MEMORY CACHE OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: cache_mem -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 256 MB -LOC: Config.memMaxSize -DOC_START - NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. - IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL - USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER - THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. - - 'cache_mem' specifies the ideal amount of memory to be used - for: - * In-Transit objects - * Hot Objects - * Negative-Cached objects - - Data for these objects are stored in 4 KB blocks. This - parameter specifies the ideal upper limit on the total size of - 4 KB blocks allocated. In-Transit objects take the highest - priority. - - In-transit objects have priority over the others. When - additional space is needed for incoming data, negative-cached - and hot objects will be released. In other words, the - negative-cached and hot objects will fill up any unused space - not needed for in-transit objects. - - If circumstances require, this limit will be exceeded. - Specifically, if your incoming request rate requires more than - 'cache_mem' of memory to hold in-transit objects, Squid will - exceed this limit to satisfy the new requests. When the load - decreases, blocks will be freed until the high-water mark is - reached. Thereafter, blocks will be used to store hot - objects. -DOC_END - -NAME: maximum_object_size_in_memory -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 512 KB -LOC: Config.Store.maxInMemObjSize -DOC_START - Objects greater than this size will not be attempted to kept in - the memory cache. This should be set high enough to keep objects - accessed frequently in memory to improve performance whilst low - enough to keep larger objects from hoarding cache_mem. -DOC_END - -NAME: memory_cache_mode -TYPE: memcachemode -LOC: Config -DEFAULT: always -DOC_START - Controls which objects to keep in the memory cache (cache_mem) - - always Keep most recently fetched objects in memory (default) - - disk Only disk cache hits are kept in memory, which means - an object must first be cached on disk and then hit - a second time before cached in memory. - - network Only objects fetched from network is kept in memory -DOC_END - -NAME: memory_replacement_policy -TYPE: removalpolicy -LOC: Config.memPolicy -DEFAULT: lru -DOC_START - The memory replacement policy parameter determines which - objects are purged from memory when memory space is needed. - - See cache_replacement_policy for details. -DOC_END - -COMMENT_START - DISK CACHE OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: cache_replacement_policy -TYPE: removalpolicy -LOC: Config.replPolicy -DEFAULT: lru -DOC_START - The cache replacement policy parameter determines which - objects are evicted (replaced) when disk space is needed. - - lru : Squid's original list based LRU policy - heap GDSF : Greedy-Dual Size Frequency - heap LFUDA: Least Frequently Used with Dynamic Aging - heap LRU : LRU policy implemented using a heap - - Applies to any cache_dir lines listed below this. - - The LRU policies keeps recently referenced objects. - - The heap GDSF policy optimizes object hit rate by keeping smaller - popular objects in cache so it has a better chance of getting a - hit. It achieves a lower byte hit rate than LFUDA though since - it evicts larger (possibly popular) objects. - - The heap LFUDA policy keeps popular objects in cache regardless of - their size and thus optimizes byte hit rate at the expense of - hit rate since one large, popular object will prevent many - smaller, slightly less popular objects from being cached. - - Both policies utilize a dynamic aging mechanism that prevents - cache pollution that can otherwise occur with frequency-based - replacement policies. - - NOTE: if using the LFUDA replacement policy you should increase - the value of maximum_object_size above its default of 4096 KB to - to maximize the potential byte hit rate improvement of LFUDA. - - For more information about the GDSF and LFUDA cache replacement - policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html - and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. -DOC_END - -NAME: cache_dir -TYPE: cachedir -DEFAULT: none -LOC: Config.cacheSwap -DOC_START - Usage: - - cache_dir Type Directory-Name Fs-specific-data [options] - - You can specify multiple cache_dir lines to spread the - cache among different disk partitions. - - Type specifies the kind of storage system to use. Only "ufs" - is built by default. To enable any of the other storage systems - see the --enable-storeio configure option. - - 'Directory' is a top-level directory where cache swap - files will be stored. If you want to use an entire disk - for caching, this can be the mount-point directory. - The directory must exist and be writable by the Squid - process. Squid will NOT create this directory for you. - - The ufs store type: - - "ufs" is the old well-known Squid storage format that has always - been there. - - cache_dir ufs Directory-Name Mbytes L1 L2 [options] - - 'Mbytes' is the amount of disk space (MB) to use under this - directory. The default is 100 MB. Change this to suit your - configuration. Do NOT put the size of your disk drive here. - Instead, if you want Squid to use the entire disk drive, - subtract 20% and use that value. - - 'Level-1' is the number of first-level subdirectories which - will be created under the 'Directory'. The default is 16. - - 'Level-2' is the number of second-level subdirectories which - will be created under each first-level directory. The default - is 256. - - The aufs store type: - - "aufs" uses the same storage format as "ufs", utilizing - POSIX-threads to avoid blocking the main Squid process on - disk-I/O. This was formerly known in Squid as async-io. - - cache_dir aufs Directory-Name Mbytes L1 L2 [options] - - see argument descriptions under ufs above - - The diskd store type: - - "diskd" uses the same storage format as "ufs", utilizing a - separate process to avoid blocking the main Squid process on - disk-I/O. - - cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] - - see argument descriptions under ufs above - - Q1 specifies the number of unacknowledged I/O requests when Squid - stops opening new files. If this many messages are in the queues, - Squid won't open new files. Default is 64 - - Q2 specifies the number of unacknowledged messages when Squid - starts blocking. If this many messages are in the queues, - Squid blocks until it receives some replies. Default is 72 - - When Q1 < Q2 (the default), the cache directory is optimized - for lower response time at the expense of a decrease in hit - ratio. If Q1 > Q2, the cache directory is optimized for - higher hit ratio at the expense of an increase in response - time. - - The coss store type: - - NP: COSS filesystem in Squid-3 has been deemed too unstable for - production use and has thus been removed from this release. - We hope that it can be made usable again soon. - - block-size=n defines the "block size" for COSS cache_dir's. - Squid uses file numbers as block numbers. Since file numbers - are limited to 24 bits, the block size determines the maximum - size of the COSS partition. The default is 512 bytes, which - leads to a maximum cache_dir size of 512<<24, or 8 GB. Note - you should not change the coss block size after Squid - has written some objects to the cache_dir. - - The coss file store has changed from 2.5. Now it uses a file - called 'stripe' in the directory names in the config - and - this will be created by squid -z. - - Common options: - - no-store, no new objects should be stored to this cache_dir - - max-size=n, refers to the max object size this storedir supports. - It is used to initially choose the storedir to dump the object. - Note: To make optimal use of the max-size limits you should order - the cache_dir lines with the smallest max-size value first and the - ones with no max-size specification last. - - Note for coss, max-size must be less than COSS_MEMBUF_SZ, - which can be changed with the --with-coss-membuf-size=N configure - option. -NOCOMMENT_START - -# Uncomment and adjust the following to add a disk cache directory. -#cache_dir ufs @DEFAULT_SWAP_DIR@ 100 16 256 -NOCOMMENT_END -DOC_END - -NAME: store_dir_select_algorithm -TYPE: string -LOC: Config.store_dir_select_algorithm -DEFAULT: least-load -DOC_START - Set this to 'round-robin' as an alternative. -DOC_END - -NAME: max_open_disk_fds -TYPE: int -LOC: Config.max_open_disk_fds -DEFAULT: 0 -DOC_START - To avoid having disk as the I/O bottleneck Squid can optionally - bypass the on-disk cache if more than this amount of disk file - descriptors are open. - - A value of 0 indicates no limit. -DOC_END - -NAME: minimum_object_size -COMMENT: (bytes) -TYPE: b_int64_t -DEFAULT: 0 KB -LOC: Config.Store.minObjectSize -DOC_START - Objects smaller than this size will NOT be saved on disk. The - value is specified in kilobytes, and the default is 0 KB, which - means there is no minimum. -DOC_END - -NAME: maximum_object_size -COMMENT: (bytes) -TYPE: b_int64_t -DEFAULT: 4096 KB -LOC: Config.Store.maxObjectSize -DOC_START - Objects larger than this size will NOT be saved on disk. The - value is specified in kilobytes, and the default is 4MB. If - you wish to get a high BYTES hit ratio, you should probably - increase this (one 32 MB object hit counts for 3200 10KB - hits). If you wish to increase speed more than your want to - save bandwidth you should leave this low. - - NOTE: if using the LFUDA replacement policy you should increase - this value to maximize the byte hit rate improvement of LFUDA! - See replacement_policy below for a discussion of this policy. -DOC_END - -NAME: cache_swap_low -COMMENT: (percent, 0-100) -TYPE: int -DEFAULT: 90 -LOC: Config.Swap.lowWaterMark -DOC_NONE - -NAME: cache_swap_high -COMMENT: (percent, 0-100) -TYPE: int -DEFAULT: 95 -LOC: Config.Swap.highWaterMark -DOC_START - - The low- and high-water marks for cache object replacement. - Replacement begins when the swap (disk) usage is above the - low-water mark and attempts to maintain utilization near the - low-water mark. As swap utilization gets close to high-water - mark object eviction becomes more aggressive. If utilization is - close to the low-water mark less replacement is done each time. - - Defaults are 90% and 95%. If you have a large cache, 5% could be - hundreds of MB. If this is the case you may wish to set these - numbers closer together. -DOC_END - -COMMENT_START - LOGFILE OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: logformat -TYPE: logformat -LOC: Config.Log.logformats -DEFAULT: none -DOC_START - Usage: - - logformat - - Defines an access log format. - - The is a string with embedded % format codes - - % format codes all follow the same basic structure where all but - the formatcode is optional. Output strings are automatically escaped - as required according to their context and the output format - modifiers are usually not needed, but can be specified if an explicit - output format is desired. - - % ["|[|'|#] [-] [[0]width] [{argument}] formatcode - - " output in quoted string format - [ output in squid text log format as used by log_mime_hdrs - # output in URL quoted format - ' output as-is - - - left aligned - width field width. If starting with 0 the - output is zero padded - {arg} argument such as header name etc - - Format codes: - - % a literal % character - >a Client source IP address - >A Client FQDN - >p Client source port - h Original request header. Optional header name argument - on the format header[:[separator]element] - [http::]>ha The HTTP request headers after adaptation and redirection. - Optional header name argument as for >h - [http::]h - [http::]un User name - [http::]ul User name from authentication - [http::]ui User name from ident - [http::]us User name from SSL - [http::]ue User name from external acl helper - [http::]>Hs HTTP status code sent to the client - [http::]st Received request size including HTTP headers. In the - case of chunked requests the chunked encoding metadata - are not included - [http::]>sh Received HTTP request headers size - [http::]a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh -DOC_END - -NAME: access_log cache_access_log -TYPE: access_log -LOC: Config.Log.accesslogs -DEFAULT: none -DEFAULT_IF_NONE: daemon:@DEFAULT_ACCESS_LOG@ squid -DOC_START - These files log client request activities. Has a line every HTTP or - ICP request. The format is: - access_log : [ [acl acl ...]] - access_log none [acl acl ...]] - - Will log to the specified module:place using the specified format (which - must be defined in a logformat directive) those entries which match - ALL the acl's specified (which must be defined in acl clauses). - If no acl is specified, all requests will be logged to this destination. - - ===== Modules Currently available ===== - - none Do not log any requests matchign these ACL. - Do not specify Place or logformat name. - - stdio Write each log line to disk immediately at the completion of - each request. - Place: the filename and path to be written. - - daemon Very similar to stdio. But instead of writing to disk the log - line is passed to a daemon helper for asychronous handling instead. - Place: varies depending on the daemon. - - log_file_daemon Place: the file name and path to be written. - - syslog To log each request via syslog facility. - Place: The syslog facility and priority level for these entries. - Place Format: facility.priority - - where facility could be any of: - authpriv, daemon, local0 ... local7 or user. - - And priority could be any of: - err, warning, notice, info, debug. - - udp To send each log line as text data to a UDP receiver. - Place: The destination host name or IP and port. - Place Format: \\host:port - - Default: - access_log daemon:@DEFAULT_ACCESS_LOG@ squid -DOC_END - -NAME: icap_log -TYPE: access_log -IFDEF: ICAP_CLIENT -LOC: Config.Log.icaplogs -DEFAULT: none -DOC_START - ICAP log files record ICAP transaction summaries, one line per - transaction. - - The icap_log option format is: - icap_log [ [acl acl ...]] - icap_log none [acl acl ...]] - - Please see access_log option documentation for details. The two - kinds of logs share the overall configuration approach and many - features. - - ICAP processing of a single HTTP message or transaction may - require multiple ICAP transactions. In such cases, multiple - ICAP transaction log lines will correspond to a single access - log line. - - ICAP log uses logformat codes that make sense for an ICAP - transaction. Header-related codes are applied to the HTTP header - embedded in an ICAP server response, with the following caveats: - For REQMOD, there is no HTTP response header unless the ICAP - server performed request satisfaction. For RESPMOD, the HTTP - request header is the header sent to the ICAP server. For - OPTIONS, there are no HTTP headers. - - The following format codes are also available for ICAP logs: - - icap::st Bytes sent to the ICAP server (TCP payload - only; i.e., what Squid writes to the socket). - - icap::h ICAP request header(s). Similar to >h. - - icap::a %icap::to/%03icap::Hs %icap::'. - - Note, from Squid-3.1 this option has no effect on the cache.log, - that log can be rotated separately by using debug_options -DOC_END - -NAME: emulate_httpd_log -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.common_log -DOC_START - The Cache can emulate the log file format which many 'httpd' - programs use. To disable/enable this emulation, set - emulate_httpd_log to 'off' or 'on'. The default - is to use the native log format since it includes useful - information Squid-specific log analyzers use. -DOC_END - -NAME: log_ip_on_direct -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.log_ip_on_direct -DOC_START - Log the destination IP address in the hierarchy log tag when going - direct. Earlier Squid versions logged the hostname here. If you - prefer the old way set this to off. -DOC_END - -NAME: mime_table -TYPE: string -DEFAULT: @DEFAULT_MIME_TABLE@ -LOC: Config.mimeTablePathname -DOC_START - Pathname to Squid's MIME table. You shouldn't need to change - this, but the default file contains examples and formatting - information if you do. -DOC_END - -NAME: log_mime_hdrs -COMMENT: on|off -TYPE: onoff -LOC: Config.onoff.log_mime_hdrs -DEFAULT: off -DOC_START - The Cache can record both the request and the response MIME - headers for each HTTP transaction. The headers are encoded - safely and will appear as two bracketed fields at the end of - the access log (for either the native or httpd-emulated log - formats). To enable this logging set log_mime_hdrs to 'on'. -DOC_END - -NAME: useragent_log -TYPE: string -LOC: Config.Log.useragent -DEFAULT: none -IFDEF: USE_USERAGENT_LOG -DOC_START - Squid will write the User-Agent field from HTTP requests - to the filename specified here. By default useragent_log - is disabled. -DOC_END - -NAME: referer_log referrer_log -TYPE: string -LOC: Config.Log.referer -DEFAULT: none -IFDEF: USE_REFERER_LOG -DOC_START - Squid will write the Referer field from HTTP requests to the - filename specified here. By default referer_log is disabled. - Note that "referer" is actually a misspelling of "referrer" - however the misspelt version has been accepted into the HTTP RFCs - and we accept both. -DOC_END - -NAME: pid_filename -TYPE: string -DEFAULT: @DEFAULT_PID_FILE@ -LOC: Config.pidFilename -DOC_START - A filename to write the process-id to. To disable, enter "none". -DOC_END - -NAME: log_fqdn -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.log_fqdn -DOC_START - Turn this on if you wish to log fully qualified domain names - in the access.log. To do this Squid does a DNS lookup of all - IP's connecting to it. This can (in some situations) increase - latency, which makes your cache seem slower for interactive - browsing. -DOC_END - -NAME: client_netmask -TYPE: address -LOC: Config.Addrs.client_netmask -DEFAULT: no_addr -DOC_START - A netmask for client addresses in logfiles and cachemgr output. - Change this to protect the privacy of your cache clients. - A netmask of 255.255.255.0 will log all IP's in that range with - the last digit set to '0'. -DOC_END - -NAME: forward_log -IFDEF: WIP_FWD_LOG -TYPE: string -DEFAULT: none -LOC: Config.Log.forward -DOC_START - Logs the server-side requests. - - This is currently work in progress. -DOC_END - -NAME: strip_query_terms -TYPE: onoff -LOC: Config.onoff.strip_query_terms -DEFAULT: on -DOC_START - By default, Squid strips query terms from requested URLs before - logging. This protects your user's privacy. -DOC_END - -NAME: buffered_logs -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.buffered_logs -DOC_START - cache.log log file is written with stdio functions, and as such - it can be buffered or unbuffered. By default it will be unbuffered. - Buffering it can speed up the writing slightly (though you are - unlikely to need to worry unless you run with tons of debugging - enabled in which case performance will suffer badly anyway..). -DOC_END - -NAME: netdb_filename -TYPE: string -DEFAULT: @DEFAULT_NETDB_FILE@ -LOC: Config.netdbFilename -IFDEF: USE_ICMP -DOC_START - A filename where Squid stores it's netdb state between restarts. - To disable, enter "none". -DOC_END - -COMMENT_START - OPTIONS FOR TROUBLESHOOTING - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: cache_log -TYPE: string -DEFAULT: none -DEFAULT_IF_NONE: @DEFAULT_CACHE_LOG@ -LOC: Debug::cache_log -DOC_START - Cache logging file. This is where general information about - your cache's behavior goes. You can increase the amount of data - logged to this file and how often its rotated with "debug_options" -DOC_END - -NAME: debug_options -TYPE: eol -DEFAULT: ALL,1 -LOC: Debug::debugOptions -DOC_START - Logging options are set as section,level where each source file - is assigned a unique section. Lower levels result in less - output, Full debugging (level 9) can result in a very large - log file, so be careful. - - The magic word "ALL" sets debugging levels for all sections. - We recommend normally running with "ALL,1". - - The rotate=N option can be used to keep more or less of these logs - than would otherwise be kept by logfile_rotate. - For most uses a single log should be enough to monitor current - events affecting Squid. -DOC_END - -NAME: coredump_dir -TYPE: string -LOC: Config.coredump_dir -DEFAULT: none -DEFAULT_IF_NONE: none -DOC_START - By default Squid leaves core files in the directory from where - it was started. If you set 'coredump_dir' to a directory - that exists, Squid will chdir() to that directory at startup - and coredump files will be left there. - -NOCOMMENT_START - -# Leave coredumps in the first cache dir -coredump_dir @DEFAULT_SWAP_DIR@ -NOCOMMENT_END -DOC_END - - -COMMENT_START - OPTIONS FOR FTP GATEWAYING - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: ftp_user -TYPE: string -DEFAULT: Squid@ -LOC: Config.Ftp.anon_user -DOC_START - If you want the anonymous login password to be more informative - (and enable the use of picky ftp servers), set this to something - reasonable for your domain, like wwwuser@somewhere.net - - The reason why this is domainless by default is the - request can be made on the behalf of a user in any domain, - depending on how the cache is used. - Some ftp server also validate the email address is valid - (for example perl.com). -DOC_END - -NAME: ftp_passive -TYPE: onoff -DEFAULT: on -LOC: Config.Ftp.passive -DOC_START - If your firewall does not allow Squid to use passive - connections, turn off this option. - - Use of ftp_epsv_all option requires this to be ON. -DOC_END - -NAME: ftp_epsv_all -TYPE: onoff -DEFAULT: off -LOC: Config.Ftp.epsv_all -DOC_START - FTP Protocol extensions permit the use of a special "EPSV ALL" command. - - NATs may be able to put the connection on a "fast path" through the - translator, as the EPRT command will never be used and therefore, - translation of the data portion of the segments will never be needed. - - When a client only expects to do two-way FTP transfers this may be - useful. - If squid finds that it must do a three-way FTP transfer after issuing - an EPSV ALL command, the FTP session will fail. - - If you have any doubts about this option do not use it. - Squid will nicely attempt all other connection methods. - - Requires ftp_passive to be ON (default) for any effect. -DOC_END - -NAME: ftp_epsv -TYPE: onoff -DEFAULT: on -LOC: Config.Ftp.epsv -DOC_START - FTP Protocol extensions permit the use of a special "EPSV" command. - - NATs may be able to put the connection on a "fast path" through the - translator using EPSV, as the EPRT command will never be used - and therefore, translation of the data portion of the segments - will never be needed. - - Turning this OFF will prevent EPSV being attempted. - WARNING: Doing so will convert Squid back to the old behavior with all - the related problems with external NAT devices/layers. - - Requires ftp_passive to be ON (default) for any effect. -DOC_END - -NAME: ftp_sanitycheck -TYPE: onoff -DEFAULT: on -LOC: Config.Ftp.sanitycheck -DOC_START - For security and data integrity reasons Squid by default performs - sanity checks of the addresses of FTP data connections ensure the - data connection is to the requested server. If you need to allow - FTP connections to servers using another IP address for the data - connection turn this off. -DOC_END - -NAME: ftp_telnet_protocol -TYPE: onoff -DEFAULT: on -LOC: Config.Ftp.telnet -DOC_START - The FTP protocol is officially defined to use the telnet protocol - as transport channel for the control connection. However, many - implementations are broken and does not respect this aspect of - the FTP protocol. - - If you have trouble accessing files with ASCII code 255 in the - path or similar problems involving this ASCII code you can - try setting this directive to off. If that helps, report to the - operator of the FTP server in question that their FTP server - is broken and does not follow the FTP standard. -DOC_END - -COMMENT_START - OPTIONS FOR EXTERNAL SUPPORT PROGRAMS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: diskd_program -TYPE: string -DEFAULT: @DEFAULT_DISKD@ -LOC: Config.Program.diskd -DOC_START - Specify the location of the diskd executable. - Note this is only useful if you have compiled in - diskd as one of the store io modules. -DOC_END - -NAME: unlinkd_program -IFDEF: USE_UNLINKD -TYPE: string -DEFAULT: @DEFAULT_UNLINKD@ -LOC: Config.Program.unlinkd -DOC_START - Specify the location of the executable for file deletion process. -DOC_END - -NAME: pinger_program -TYPE: string -DEFAULT: @DEFAULT_PINGER@ -LOC: Config.pinger.program -IFDEF: USE_ICMP -DOC_START - Specify the location of the executable for the pinger process. -DOC_END - -NAME: pinger_enable -TYPE: onoff -DEFAULT: on -LOC: Config.pinger.enable -IFDEF: USE_ICMP -DOC_START - Control whether the pinger is active at run-time. - Enables turning ICMP pinger on and off with a simple - squid -k reconfigure. -DOC_END - - -COMMENT_START - OPTIONS FOR URL REWRITING - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: url_rewrite_program redirect_program -TYPE: wordlist -LOC: Config.Program.redirect -DEFAULT: none -DOC_START - Specify the location of the executable for the URL rewriter. - Since they can perform almost any function there isn't one included. - - For each requested URL rewriter will receive on line with the format - - URL client_ip "/" fqdn user method [ kvpairs] - - In the future, the rewriter interface will be extended with - key=value pairs ("kvpairs" shown above). Rewriter programs - should be prepared to receive and possibly ignore additional - whitespace-separated tokens on each input line. - - And the rewriter may return a rewritten URL. The other components of - the request line does not need to be returned (ignored if they are). - - The rewriter can also indicate that a client-side redirect should - be performed to the new URL. This is done by prefixing the returned - URL with "301:" (moved permanently) or 302: (moved temporarily). - - By default, a URL rewriter is not used. -DOC_END - -NAME: url_rewrite_children redirect_children -TYPE: HelperChildConfig -DEFAULT: 20 startup=0 idle=1 concurrency=0 -LOC: Config.redirectChildren -DOC_START - The maximum number of redirector processes to spawn. If you limit - it too few Squid will have to wait for them to process a backlog of - URLs, slowing it down. If you allow too many they will use RAM - and other system resources noticably. - - The startup= and idle= options allow some measure of skew in your - tuning. - - startup= - - Sets a minimum of how many processes are to be spawned when Squid - starts or reconfigures. When set to zero the first request will - cause spawning of the first child process to handle it. - - Starting too few will cause an initial slowdown in traffic as Squid - attempts to simultaneously spawn enough processes to cope. - - idle= - - Sets a minimum of how many processes Squid is to try and keep available - at all times. When traffic begins to rise above what the existing - processes can handle this many more will be spawned up to the maximum - configured. A minimum setting of 1 is required. - - concurrency= - - The number of requests each redirector helper can handle in - parallel. Defaults to 0 which indicates the redirector - is a old-style single threaded redirector. - - When this directive is set to a value >= 1 then the protocol - used to communicate with the helper is modified to include - a request ID in front of the request/response. The request - ID from the request must be echoed back with the response - to that request. -DOC_END - -NAME: url_rewrite_host_header redirect_rewrites_host_header -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.redir_rewrites_host -DOC_START - By default Squid rewrites any Host: header in redirected - requests. If you are running an accelerator this may - not be a wanted effect of a redirector. - - WARNING: Entries are cached on the result of the URL rewriting - process, so be careful if you have domain-virtual hosts. -DOC_END - -NAME: url_rewrite_access redirector_access -TYPE: acl_access -DEFAULT: none -LOC: Config.accessList.redirector -DOC_START - If defined, this access list specifies which requests are - sent to the redirector processes. By default all requests - are sent. - - This clause supports both fast and slow acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -DOC_END - -NAME: url_rewrite_bypass redirector_bypass -TYPE: onoff -LOC: Config.onoff.redirector_bypass -DEFAULT: off -DOC_START - When this is 'on', a request will not go through the - redirector if all redirectors are busy. If this is 'off' - and the redirector queue grows too large, Squid will exit - with a FATAL error and ask you to increase the number of - redirectors. You should only enable this if the redirectors - are not critical to your caching system. If you use - redirectors for access control, and you enable this option, - users may have access to pages they should not - be allowed to request. -DOC_END - -COMMENT_START - OPTIONS FOR TUNING THE CACHE - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: cache no_cache -TYPE: acl_access -DEFAULT: none -LOC: Config.accessList.noCache -DOC_START - A list of ACL elements which, if matched and denied, cause the request to - not be satisfied from the cache and the reply to not be cached. - In other words, use this to force certain objects to never be cached. - - You must use the words 'allow' or 'deny' to indicate whether items - matching the ACL should be allowed or denied into the cache. - - Default is to allow all to be cached. - - This clause supports both fast and slow acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -DOC_END - -NAME: refresh_pattern -TYPE: refreshpattern -LOC: Config.Refresh -DEFAULT: none -DOC_START - usage: refresh_pattern [-i] regex min percent max [options] - - By default, regular expressions are CASE-SENSITIVE. To make - them case-insensitive, use the -i option. - - 'Min' is the time (in minutes) an object without an explicit - expiry time should be considered fresh. The recommended - value is 0, any higher values may cause dynamic applications - to be erroneously cached unless the application designer - has taken the appropriate actions. - - 'Percent' is a percentage of the objects age (time since last - modification age) an object without explicit expiry time - will be considered fresh. - - 'Max' is an upper limit on how long objects without an explicit - expiry time will be considered fresh. - - options: override-expire - override-lastmod - reload-into-ims - ignore-reload - ignore-no-cache - ignore-no-store - ignore-must-revalidate - ignore-private - ignore-auth - refresh-ims - - override-expire enforces min age even if the server - sent an explicit expiry time (e.g., with the - Expires: header or Cache-Control: max-age). Doing this - VIOLATES the HTTP standard. Enabling this feature - could make you liable for problems which it causes. - - Note: override-expire does not enforce staleness - it only extends - freshness / min. If the server returns a Expires time which - is longer than your max time, Squid will still consider - the object fresh for that period of time. - - override-lastmod enforces min age even on objects - that were modified recently. - - reload-into-ims changes client no-cache or ``reload'' - to If-Modified-Since requests. Doing this VIOLATES the - HTTP standard. Enabling this feature could make you - liable for problems which it causes. - - ignore-reload ignores a client no-cache or ``reload'' - header. Doing this VIOLATES the HTTP standard. Enabling - this feature could make you liable for problems which - it causes. - - ignore-no-cache ignores any ``Pragma: no-cache'' and - ``Cache-control: no-cache'' headers received from a server. - The HTTP RFC never allows the use of this (Pragma) header - from a server, only a client, though plenty of servers - send it anyway. - - ignore-no-store ignores any ``Cache-control: no-store'' - headers received from a server. Doing this VIOLATES - the HTTP standard. Enabling this feature could make you - liable for problems which it causes. - - ignore-must-revalidate ignores any ``Cache-Control: must-revalidate`` - headers received from a server. Doing this VIOLATES - the HTTP standard. Enabling this feature could make you - liable for problems which it causes. - - ignore-private ignores any ``Cache-control: private'' - headers received from a server. Doing this VIOLATES - the HTTP standard. Enabling this feature could make you - liable for problems which it causes. - - ignore-auth caches responses to requests with authorization, - as if the originserver had sent ``Cache-control: public'' - in the response header. Doing this VIOLATES the HTTP standard. - Enabling this feature could make you liable for problems which - it causes. - - refresh-ims causes squid to contact the origin server - when a client issues an If-Modified-Since request. This - ensures that the client will receive an updated version - if one is available. - - Basically a cached object is: - - FRESH if expires < now, else STALE - STALE if age > max - FRESH if lm-factor < percent, else STALE - FRESH if age < min - else STALE - - The refresh_pattern lines are checked in the order listed here. - The first entry which matches is used. If none of the entries - match the default will be used. - - Note, you must uncomment all the default lines if you want - to change one. The default setting is only active if none is - used. - -NOCOMMENT_START - -# Add any of your own refresh_pattern entries above these. -refresh_pattern ^ftp: 1440 20% 10080 -refresh_pattern ^gopher: 1440 0% 1440 -refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 -refresh_pattern . 0 20% 4320 -NOCOMMENT_END -DOC_END - -NAME: quick_abort_min -COMMENT: (KB) -TYPE: kb_int64_t -DEFAULT: 16 KB -LOC: Config.quickAbort.min -DOC_NONE - -NAME: quick_abort_max -COMMENT: (KB) -TYPE: kb_int64_t -DEFAULT: 16 KB -LOC: Config.quickAbort.max -DOC_NONE - -NAME: quick_abort_pct -COMMENT: (percent) -TYPE: int -DEFAULT: 95 -LOC: Config.quickAbort.pct -DOC_START - The cache by default continues downloading aborted requests - which are almost completed (less than 16 KB remaining). This - may be undesirable on slow (e.g. SLIP) links and/or very busy - caches. Impatient users may tie up file descriptors and - bandwidth by repeatedly requesting and immediately aborting - downloads. - - When the user aborts a request, Squid will check the - quick_abort values to the amount of data transfered until - then. - - If the transfer has less than 'quick_abort_min' KB remaining, - it will finish the retrieval. - - If the transfer has more than 'quick_abort_max' KB remaining, - it will abort the retrieval. - - If more than 'quick_abort_pct' of the transfer has completed, - it will finish the retrieval. - - If you do not want any retrieval to continue after the client - has aborted, set both 'quick_abort_min' and 'quick_abort_max' - to '0 KB'. - - If you want retrievals to always continue if they are being - cached set 'quick_abort_min' to '-1 KB'. -DOC_END - -NAME: read_ahead_gap -COMMENT: buffer-size -TYPE: b_int64_t -LOC: Config.readAheadGap -DEFAULT: 16 KB -DOC_START - The amount of data the cache will buffer ahead of what has been - sent to the client when retrieving an object from another server. -DOC_END - -NAME: negative_ttl -IFDEF: HTTP_VIOLATIONS -COMMENT: time-units -TYPE: time_t -LOC: Config.negativeTtl -DEFAULT: 0 seconds -DOC_START - Set the Default Time-to-Live (TTL) for failed requests. - Certain types of failures (such as "connection refused" and - "404 Not Found") are able to be negatively-cached for a short time. - Modern web servers should provide Expires: header, however if they - do not this can provide a minimum TTL. - The default is not to cache errors with unknown expiry details. - - Note that this is different from negative caching of DNS lookups. - - WARNING: Doing this VIOLATES the HTTP standard. Enabling - this feature could make you liable for problems which it - causes. -DOC_END - -NAME: positive_dns_ttl -COMMENT: time-units -TYPE: time_t -LOC: Config.positiveDnsTtl -DEFAULT: 6 hours -DOC_START - Upper limit on how long Squid will cache positive DNS responses. - Default is 6 hours (360 minutes). This directive must be set - larger than negative_dns_ttl. -DOC_END - -NAME: negative_dns_ttl -COMMENT: time-units -TYPE: time_t -LOC: Config.negativeDnsTtl -DEFAULT: 1 minutes -DOC_START - Time-to-Live (TTL) for negative caching of failed DNS lookups. - This also sets the lower cache limit on positive lookups. - Minimum value is 1 second, and it is not recommendable to go - much below 10 seconds. -DOC_END - -NAME: range_offset_limit -COMMENT: size [acl acl...] -TYPE: acl_b_size_t -LOC: Config.rangeOffsetLimit -DEFAULT: none -DOC_START - usage: (size) [units] [[!]aclname] - - Sets an upper limit on how far (number of bytes) into the file - a Range request may be to cause Squid to prefetch the whole file. - If beyond this limit, Squid forwards the Range request as it is and - the result is NOT cached. - - This is to stop a far ahead range request (lets say start at 17MB) - from making Squid fetch the whole object up to that point before - sending anything to the client. - - Multiple range_offset_limit lines may be specified, and they will - be searched from top to bottom on each request until a match is found. - The first match found will be used. If no line matches a request, the - default limit of 0 bytes will be used. - - 'size' is the limit specified as a number of units. - - 'units' specifies whether to use bytes, KB, MB, etc. - If no units are specified bytes are assumed. - - A size of 0 causes Squid to never fetch more than the - client requested. (default) - - A size of 'none' causes Squid to always fetch the object from the - beginning so it may cache the result. (2.0 style) - - 'aclname' is the name of a defined ACL. - - NP: Using 'none' as the byte value here will override any quick_abort settings - that may otherwise apply to the range request. The range request will - be fully fetched from start to finish regardless of the client - actions. This affects bandwidth usage. -DOC_END - -NAME: minimum_expiry_time -COMMENT: (seconds) -TYPE: time_t -LOC: Config.minimum_expiry_time -DEFAULT: 60 seconds -DOC_START - The minimum caching time according to (Expires - Date) - Headers Squid honors if the object can't be revalidated - defaults to 60 seconds. In reverse proxy environments it - might be desirable to honor shorter object lifetimes. It - is most likely better to make your server return a - meaningful Last-Modified header however. In ESI environments - where page fragments often have short lifetimes, this will - often be best set to 0. -DOC_END - -NAME: store_avg_object_size -COMMENT: (kbytes) -TYPE: kb_int64_t -DEFAULT: 13 KB -LOC: Config.Store.avgObjectSize -DOC_START - Average object size, used to estimate number of objects your - cache can hold. The default is 13 KB. -DOC_END - -NAME: store_objects_per_bucket -TYPE: int -DEFAULT: 20 -LOC: Config.Store.objectsPerBucket -DOC_START - Target number of objects per bucket in the store hash table. - Lowering this value increases the total number of buckets and - also the storage maintenance rate. The default is 20. -DOC_END - -COMMENT_START - HTTP OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: request_header_max_size -COMMENT: (KB) -TYPE: b_size_t -DEFAULT: 64 KB -LOC: Config.maxRequestHeaderSize -DOC_START - This specifies the maximum size for HTTP headers in a request. - Request headers are usually relatively small (about 512 bytes). - Placing a limit on the request header size will catch certain - bugs (for example with persistent connections) and possibly - buffer-overflow or denial-of-service attacks. -DOC_END - -NAME: reply_header_max_size -COMMENT: (KB) -TYPE: b_size_t -DEFAULT: 64 KB -LOC: Config.maxReplyHeaderSize -DOC_START - This specifies the maximum size for HTTP headers in a reply. - Reply headers are usually relatively small (about 512 bytes). - Placing a limit on the reply header size will catch certain - bugs (for example with persistent connections) and possibly - buffer-overflow or denial-of-service attacks. -DOC_END - -NAME: request_body_max_size -COMMENT: (bytes) -TYPE: b_int64_t -DEFAULT: 0 KB -LOC: Config.maxRequestBodySize -DOC_START - This specifies the maximum size for an HTTP request body. - In other words, the maximum size of a PUT/POST request. - A user who attempts to send a request with a body larger - than this limit receives an "Invalid Request" error message. - If you set this parameter to a zero (the default), there will - be no limit imposed. -DOC_END - -NAME: chunked_request_body_max_size -COMMENT: (bytes) -TYPE: b_int64_t -DEFAULT: 64 KB -LOC: Config.maxChunkedRequestBodySize -DOC_START - A broken or confused HTTP/1.1 client may send a chunked HTTP - request to Squid. Squid does not have full support for that - feature yet. To cope with such requests, Squid buffers the - entire request and then dechunks request body to create a - plain HTTP/1.0 request with a known content length. The plain - request is then used by the rest of Squid code as usual. - - The option value specifies the maximum size of the buffer used - to hold the request before the conversion. If the chunked - request size exceeds the specified limit, the conversion - fails, and the client receives an "unsupported request" error, - as if dechunking was disabled. - - Dechunking is enabled by default. To disable conversion of - chunked requests, set the maximum to zero. - - Request dechunking feature and this option in particular are a - temporary hack. When chunking requests and responses are fully - supported, there will be no need to buffer a chunked request. -DOC_END - -NAME: broken_posts -IFDEF: HTTP_VIOLATIONS -TYPE: acl_access -DEFAULT: none -LOC: Config.accessList.brokenPosts -DOC_START - A list of ACL elements which, if matched, causes Squid to send - an extra CRLF pair after the body of a PUT/POST request. - - Some HTTP servers has broken implementations of PUT/POST, - and rely on an extra CRLF pair sent by some WWW clients. - - Quote from RFC2616 section 4.1 on this matter: - - Note: certain buggy HTTP/1.0 client implementations generate an - extra CRLF's after a POST request. To restate what is explicitly - forbidden by the BNF, an HTTP/1.1 client must not preface or follow - a request with an extra CRLF. - - This clause only supports fast acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. - -Example: - acl buggy_server url_regex ^http://.... - broken_posts allow buggy_server -DOC_END - -NAME: icap_uses_indirect_client -COMMENT: on|off -TYPE: onoff -IFDEF: FOLLOW_X_FORWARDED_FOR&&ICAP_CLIENT -DEFAULT: on -LOC: Adaptation::Icap::TheConfig.icap_uses_indirect_client -DOC_START - Controls whether the indirect client address - (see follow_x_forwarded_for) instead of the - direct client address is passed to an ICAP - server as "X-Client-IP". -DOC_END - -NAME: via -IFDEF: HTTP_VIOLATIONS -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.via -DOC_START - If set (default), Squid will include a Via header in requests and - replies as required by RFC2616. -DOC_END - -NAME: ie_refresh -COMMENT: on|off -TYPE: onoff -LOC: Config.onoff.ie_refresh -DEFAULT: off -DOC_START - Microsoft Internet Explorer up until version 5.5 Service - Pack 1 has an issue with transparent proxies, wherein it - is impossible to force a refresh. Turning this on provides - a partial fix to the problem, by causing all IMS-REFRESH - requests from older IE versions to check the origin server - for fresh content. This reduces hit ratio by some amount - (~10% in my experience), but allows users to actually get - fresh content when they want it. Note because Squid - cannot tell if the user is using 5.5 or 5.5SP1, the behavior - of 5.5 is unchanged from old versions of Squid (i.e. a - forced refresh is impossible). Newer versions of IE will, - hopefully, continue to have the new behavior and will be - handled based on that assumption. This option defaults to - the old Squid behavior, which is better for hit ratios but - worse for clients using IE, if they need to be able to - force fresh content. -DOC_END - -NAME: vary_ignore_expire -COMMENT: on|off -TYPE: onoff -LOC: Config.onoff.vary_ignore_expire -DEFAULT: off -DOC_START - Many HTTP servers supporting Vary gives such objects - immediate expiry time with no cache-control header - when requested by a HTTP/1.0 client. This option - enables Squid to ignore such expiry times until - HTTP/1.1 is fully implemented. - - WARNING: If turned on this may eventually cause some - varying objects not intended for caching to get cached. -DOC_END - -NAME: request_entities -TYPE: onoff -LOC: Config.onoff.request_entities -DEFAULT: off -DOC_START - Squid defaults to deny GET and HEAD requests with request entities, - as the meaning of such requests are undefined in the HTTP standard - even if not explicitly forbidden. - - Set this directive to on if you have clients which insists - on sending request entities in GET or HEAD requests. But be warned - that there is server software (both proxies and web servers) which - can fail to properly process this kind of request which may make you - vulnerable to cache pollution attacks if enabled. -DOC_END - -NAME: request_header_access -IFDEF: HTTP_VIOLATIONS -TYPE: http_header_access[] -LOC: Config.request_header_access -DEFAULT: none -DOC_START - Usage: request_header_access header_name allow|deny [!]aclname ... - - WARNING: Doing this VIOLATES the HTTP standard. Enabling - this feature could make you liable for problems which it - causes. - - This option replaces the old 'anonymize_headers' and the - older 'http_anonymizer' option with something that is much - more configurable. This new method creates a list of ACLs - for each header, allowing you very fine-tuned header - mangling. - - This option only applies to request headers, i.e., from the - client to the server. - - You can only specify known headers for the header name. - Other headers are reclassified as 'Other'. You can also - refer to all the headers with 'All'. - - For example, to achieve the same behavior as the old - 'http_anonymizer standard' option, you should use: - - request_header_access From deny all - request_header_access Referer deny all - request_header_access Server deny all - request_header_access User-Agent deny all - request_header_access WWW-Authenticate deny all - request_header_access Link deny all - - Or, to reproduce the old 'http_anonymizer paranoid' feature - you should use: - - request_header_access Allow allow all - request_header_access Authorization allow all - request_header_access WWW-Authenticate allow all - request_header_access Proxy-Authorization allow all - request_header_access Proxy-Authenticate allow all - request_header_access Cache-Control allow all - request_header_access Content-Encoding allow all - request_header_access Content-Length allow all - request_header_access Content-Type allow all - request_header_access Date allow all - request_header_access Expires allow all - request_header_access Host allow all - request_header_access If-Modified-Since allow all - request_header_access Last-Modified allow all - request_header_access Location allow all - request_header_access Pragma allow all - request_header_access Accept allow all - request_header_access Accept-Charset allow all - request_header_access Accept-Encoding allow all - request_header_access Accept-Language allow all - request_header_access Content-Language allow all - request_header_access Mime-Version allow all - request_header_access Retry-After allow all - request_header_access Title allow all - request_header_access Connection allow all - request_header_access Proxy-Connection allow all - request_header_access All deny all - - although many of those are HTTP reply headers, and so should be - controlled with the reply_header_access directive. - - By default, all headers are allowed (no anonymizing is - performed). -DOC_END - -NAME: reply_header_access -IFDEF: HTTP_VIOLATIONS -TYPE: http_header_access[] -LOC: Config.reply_header_access -DEFAULT: none -DOC_START - Usage: reply_header_access header_name allow|deny [!]aclname ... - - WARNING: Doing this VIOLATES the HTTP standard. Enabling - this feature could make you liable for problems which it - causes. - - This option only applies to reply headers, i.e., from the - server to the client. - - This is the same as request_header_access, but in the other - direction. - - This option replaces the old 'anonymize_headers' and the - older 'http_anonymizer' option with something that is much - more configurable. This new method creates a list of ACLs - for each header, allowing you very fine-tuned header - mangling. - - You can only specify known headers for the header name. - Other headers are reclassified as 'Other'. You can also - refer to all the headers with 'All'. - - For example, to achieve the same behavior as the old - 'http_anonymizer standard' option, you should use: - - reply_header_access From deny all - reply_header_access Referer deny all - reply_header_access Server deny all - reply_header_access User-Agent deny all - reply_header_access WWW-Authenticate deny all - reply_header_access Link deny all - - Or, to reproduce the old 'http_anonymizer paranoid' feature - you should use: - - reply_header_access Allow allow all - reply_header_access Authorization allow all - reply_header_access WWW-Authenticate allow all - reply_header_access Proxy-Authorization allow all - reply_header_access Proxy-Authenticate allow all - reply_header_access Cache-Control allow all - reply_header_access Content-Encoding allow all - reply_header_access Content-Length allow all - reply_header_access Content-Type allow all - reply_header_access Date allow all - reply_header_access Expires allow all - reply_header_access Host allow all - reply_header_access If-Modified-Since allow all - reply_header_access Last-Modified allow all - reply_header_access Location allow all - reply_header_access Pragma allow all - reply_header_access Accept allow all - reply_header_access Accept-Charset allow all - reply_header_access Accept-Encoding allow all - reply_header_access Accept-Language allow all - reply_header_access Content-Language allow all - reply_header_access Mime-Version allow all - reply_header_access Retry-After allow all - reply_header_access Title allow all - reply_header_access Connection allow all - reply_header_access Proxy-Connection allow all - reply_header_access All deny all - - although the HTTP request headers won't be usefully controlled - by this directive -- see request_header_access for details. - - By default, all headers are allowed (no anonymizing is - performed). -DOC_END - -NAME: header_replace -IFDEF: HTTP_VIOLATIONS -TYPE: http_header_replace[] -LOC: Config.request_header_access -DEFAULT: none -DOC_START - Usage: header_replace header_name message - Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) - - This option allows you to change the contents of headers - denied with header_access above, by replacing them with - some fixed string. This replaces the old fake_user_agent - option. - - This only applies to request headers, not reply headers. - - By default, headers are removed if denied. -DOC_END - -NAME: relaxed_header_parser -COMMENT: on|off|warn -TYPE: tristate -LOC: Config.onoff.relaxed_header_parser -DEFAULT: on -DOC_START - In the default "on" setting Squid accepts certain forms - of non-compliant HTTP messages where it is unambiguous - what the sending application intended even if the message - is not correctly formatted. The messages is then normalized - to the correct form when forwarded by Squid. - - If set to "warn" then a warning will be emitted in cache.log - each time such HTTP error is encountered. - - If set to "off" then such HTTP errors will cause the request - or response to be rejected. -DOC_END - -NAME: ignore_expect_100 -COMMENT: on|off -IFDEF: HTTP_VIOLATIONS -TYPE: onoff -LOC: Config.onoff.ignore_expect_100 -DEFAULT: off -DOC_START - This option makes Squid ignore any Expect: 100-continue header present - in the request. RFC 2616 requires that Squid being unable to satisfy - the response expectation MUST return a 417 error. - - Note: Enabling this is a HTTP protocol violation, but some clients may - not handle it well.. -DOC_END - -COMMENT_START - TIMEOUTS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: forward_timeout -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.forward -DEFAULT: 4 minutes -DOC_START - This parameter specifies how long Squid should at most attempt in - finding a forwarding path for the request before giving up. -DOC_END - -NAME: connect_timeout -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.connect -DEFAULT: 1 minute -DOC_START - This parameter specifies how long to wait for the TCP connect to - the requested server or peer to complete before Squid should - attempt to find another path where to forward the request. -DOC_END - -NAME: peer_connect_timeout -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.peer_connect -DEFAULT: 30 seconds -DOC_START - This parameter specifies how long to wait for a pending TCP - connection to a peer cache. The default is 30 seconds. You - may also set different timeout values for individual neighbors - with the 'connect-timeout' option on a 'cache_peer' line. -DOC_END - -NAME: read_timeout -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.read -DEFAULT: 15 minutes -DOC_START - The read_timeout is applied on server-side connections. After - each successful read(), the timeout will be extended by this - amount. If no data is read again after this amount of time, - the request is aborted and logged with ERR_READ_TIMEOUT. The - default is 15 minutes. -DOC_END - -NAME: write_timeout -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.write -DEFAULT: 15 minutes -DOC_START - This timeout is tracked for all connections that have data - available for writing and are waiting for the socket to become - ready. After each successful write, the timeout is extended by - the configured amount. If Squid has data to write but the - connection is not ready for the configured duration, the - transaction associated with the connection is terminated. The - default is 15 minutes. -DOC_END - -NAME: request_timeout -TYPE: time_t -LOC: Config.Timeout.request -DEFAULT: 5 minutes -DOC_START - How long to wait for an HTTP request after initial - connection establishment. -DOC_END - -NAME: persistent_request_timeout -TYPE: time_t -LOC: Config.Timeout.persistent_request -DEFAULT: 2 minutes -DOC_START - How long to wait for the next HTTP request on a persistent - connection after the previous request completes. -DOC_END - -NAME: client_lifetime -COMMENT: time-units -TYPE: time_t -LOC: Config.Timeout.lifetime -DEFAULT: 1 day -DOC_START - The maximum amount of time a client (browser) is allowed to - remain connected to the cache process. This protects the Cache - from having a lot of sockets (and hence file descriptors) tied up - in a CLOSE_WAIT state from remote clients that go away without - properly shutting down (either because of a network failure or - because of a poor client implementation). The default is one - day, 1440 minutes. - - NOTE: The default value is intended to be much larger than any - client would ever need to be connected to your cache. You - should probably change client_lifetime only as a last resort. - If you seem to have many client connections tying up - filedescriptors, we recommend first tuning the read_timeout, - request_timeout, persistent_request_timeout and quick_abort values. -DOC_END - -NAME: half_closed_clients -TYPE: onoff -LOC: Config.onoff.half_closed_clients -DEFAULT: off -DOC_START - Some clients may shutdown the sending side of their TCP - connections, while leaving their receiving sides open. Sometimes, - Squid can not tell the difference between a half-closed and a - fully-closed TCP connection. - - By default, Squid will immediately close client connections when - read(2) returns "no more data to read." - - Change this option to 'on' and Squid will keep open connections - until a read(2) or write(2) on the socket returns an error. - This may show some benefits for reverse proxies. But if not - it is recommended to leave OFF. -DOC_END - -NAME: pconn_timeout -TYPE: time_t -LOC: Config.Timeout.pconn -DEFAULT: 1 minute -DOC_START - Timeout for idle persistent connections to servers and other - proxies. -DOC_END - -NAME: ident_timeout -TYPE: time_t -IFDEF: USE_IDENT -LOC: Ident::TheConfig.timeout -DEFAULT: 10 seconds -DOC_START - Maximum time to wait for IDENT lookups to complete. - - If this is too high, and you enabled IDENT lookups from untrusted - users, you might be susceptible to denial-of-service by having - many ident requests going at once. -DOC_END - -NAME: shutdown_lifetime -COMMENT: time-units -TYPE: time_t -LOC: Config.shutdownLifetime -DEFAULT: 30 seconds -DOC_START - When SIGTERM or SIGHUP is received, the cache is put into - "shutdown pending" mode until all active sockets are closed. - This value is the lifetime to set for all open descriptors - during shutdown mode. Any active clients after this many - seconds will receive a 'timeout' message. -DOC_END - -COMMENT_START - ADMINISTRATIVE PARAMETERS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: cache_mgr -TYPE: string -DEFAULT: webmaster -LOC: Config.adminEmail -DOC_START - Email-address of local cache manager who will receive - mail if the cache dies. The default is "webmaster." -DOC_END - -NAME: mail_from -TYPE: string -DEFAULT: none -LOC: Config.EmailFrom -DOC_START - From: email-address for mail sent when the cache dies. - The default is to use 'appname@unique_hostname'. - Default appname value is "squid", can be changed into - src/globals.h before building squid. -DOC_END - -NAME: mail_program -TYPE: eol -DEFAULT: mail -LOC: Config.EmailProgram -DOC_START - Email program used to send mail if the cache dies. - The default is "mail". The specified program must comply - with the standard Unix mail syntax: - mail-program recipient < mailfile - - Optional command line options can be specified. -DOC_END - -NAME: cache_effective_user -TYPE: string -DEFAULT: @DEFAULT_CACHE_EFFECTIVE_USER@ -LOC: Config.effectiveUser -DOC_START - If you start Squid as root, it will change its effective/real - UID/GID to the user specified below. The default is to change - to UID of @DEFAULT_CACHE_EFFECTIVE_USER@. - see also; cache_effective_group -DOC_END - -NAME: cache_effective_group -TYPE: string -DEFAULT: none -LOC: Config.effectiveGroup -DOC_START - Squid sets the GID to the effective user's default group ID - (taken from the password file) and supplementary group list - from the groups membership. - - If you want Squid to run with a specific GID regardless of - the group memberships of the effective user then set this - to the group (or GID) you want Squid to run as. When set - all other group privileges of the effective user are ignored - and only this GID is effective. If Squid is not started as - root the user starting Squid MUST be member of the specified - group. - - This option is not recommended by the Squid Team. - Our preference is for administrators to configure a secure - user account for squid with UID/GID matching system policies. -DOC_END - -NAME: httpd_suppress_version_string -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.httpd_suppress_version_string -DOC_START - Suppress Squid version string info in HTTP headers and HTML error pages. -DOC_END - -NAME: visible_hostname -TYPE: string -LOC: Config.visibleHostname -DEFAULT: none -DOC_START - If you want to present a special hostname in error messages, etc, - define this. Otherwise, the return value of gethostname() - will be used. If you have multiple caches in a cluster and - get errors about IP-forwarding you must set them to have individual - names with this setting. -DOC_END - -NAME: unique_hostname -TYPE: string -LOC: Config.uniqueHostname -DEFAULT: none -DOC_START - If you want to have multiple machines with the same - 'visible_hostname' you must give each machine a different - 'unique_hostname' so forwarding loops can be detected. -DOC_END - -NAME: hostname_aliases -TYPE: wordlist -LOC: Config.hostnameAliases -DEFAULT: none -DOC_START - A list of other DNS names your cache has. -DOC_END - -NAME: umask -TYPE: int -LOC: Config.umask -DEFAULT: 027 -DOC_START - Minimum umask which should be enforced while the proxy - is running, in addition to the umask set at startup. - - For a traditional octal representation of umasks, start - your value with 0. -DOC_END - -COMMENT_START - OPTIONS FOR THE CACHE REGISTRATION SERVICE - ----------------------------------------------------------------------------- - - This section contains parameters for the (optional) cache - announcement service. This service is provided to help - cache administrators locate one another in order to join or - create cache hierarchies. - - An 'announcement' message is sent (via UDP) to the registration - service by Squid. By default, the announcement message is NOT - SENT unless you enable it with 'announce_period' below. - - The announcement message includes your hostname, plus the - following information from this configuration file: - - http_port - icp_port - cache_mgr - - All current information is processed regularly and made - available on the Web at http://www.ircache.net/Cache/Tracker/. -COMMENT_END - -NAME: announce_period -TYPE: time_t -LOC: Config.Announce.period -DEFAULT: 0 -DOC_START - This is how frequently to send cache announcements. The - default is `0' which disables sending the announcement - messages. - - To enable announcing your cache, just set an announce period. - - Example: - announce_period 1 day -DOC_END - -NAME: announce_host -TYPE: string -DEFAULT: tracker.ircache.net -LOC: Config.Announce.host -DOC_NONE - -NAME: announce_file -TYPE: string -DEFAULT: none -LOC: Config.Announce.file -DOC_NONE - -NAME: announce_port -TYPE: ushort -DEFAULT: 3131 -LOC: Config.Announce.port -DOC_START - announce_host and announce_port set the hostname and port - number where the registration message will be sent. - - Hostname will default to 'tracker.ircache.net' and port will - default default to 3131. If the 'filename' argument is given, - the contents of that file will be included in the announce - message. -DOC_END - -COMMENT_START - HTTPD-ACCELERATOR OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: httpd_accel_surrogate_id -TYPE: string -DEFAULT: none -LOC: Config.Accel.surrogate_id -DOC_START - Surrogates (http://www.esi.org/architecture_spec_1.0.html) - need an identification token to allow control targeting. Because - a farm of surrogates may all perform the same tasks, they may share - an identification token. - - The default ID is the visible_hostname -DOC_END - -NAME: http_accel_surrogate_remote -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.surrogate_is_remote -DOC_START - Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. - Set this to on to have squid behave as a remote surrogate. -DOC_END - -NAME: esi_parser -IFDEF: USE_SQUID_ESI -COMMENT: libxml2|expat|custom -TYPE: string -LOC: ESIParser::Type -DEFAULT: custom -DOC_START - ESI markup is not strictly XML compatible. The custom ESI parser - will give higher performance, but cannot handle non ASCII character - encodings. -DOC_END - -COMMENT_START - DELAY POOL PARAMETERS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: delay_pools -TYPE: delay_pool_count -DEFAULT: 0 -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This represents the number of delay pools to be used. For example, - if you have one class 2 delay pool and one class 3 delays pool, you - have a total of 2 delay pools. -DOC_END - -NAME: delay_class -TYPE: delay_pool_class -DEFAULT: none -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This defines the class of each delay pool. There must be exactly one - delay_class line for each delay pool. For example, to define two - delay pools, one of class 2 and one of class 3, the settings above - and here would be: - - Example: - delay_pools 4 # 4 delay pools - delay_class 1 2 # pool 1 is a class 2 pool - delay_class 2 3 # pool 2 is a class 3 pool - delay_class 3 4 # pool 3 is a class 4 pool - delay_class 4 5 # pool 4 is a class 5 pool - - The delay pool classes are: - - class 1 Everything is limited by a single aggregate - bucket. - - class 2 Everything is limited by a single aggregate - bucket as well as an "individual" bucket chosen - from bits 25 through 32 of the IPv4 address. - - class 3 Everything is limited by a single aggregate - bucket as well as a "network" bucket chosen - from bits 17 through 24 of the IP address and a - "individual" bucket chosen from bits 17 through - 32 of the IPv4 address. - - class 4 Everything in a class 3 delay pool, with an - additional limit on a per user basis. This - only takes effect if the username is established - in advance - by forcing authentication in your - http_access rules. - - class 5 Requests are grouped according their tag (see - external_acl's tag= reply). - - NOTE: If an IP address is a.b.c.d - -> bits 25 through 32 are "d" - -> bits 17 through 24 are "c" - -> bits 17 through 32 are "c * 256 + d" - - NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to - IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. -DOC_END - -NAME: delay_access -TYPE: delay_pool_access -DEFAULT: none -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This is used to determine which delay pool a request falls into. - - delay_access is sorted per pool and the matching starts with pool 1, - then pool 2, ..., and finally pool N. The first delay pool where the - request is allowed is selected for the request. If it does not allow - the request to any pool then the request is not delayed (default). - - For example, if you want some_big_clients in delay - pool 1 and lotsa_little_clients in delay pool 2: - -Example: - delay_access 1 allow some_big_clients - delay_access 1 deny all - delay_access 2 allow lotsa_little_clients - delay_access 2 deny all - delay_access 3 allow authenticated_clients -DOC_END - -NAME: delay_parameters -TYPE: delay_pool_rates -DEFAULT: none -IFDEF: DELAY_POOLS -LOC: Config.Delay -DOC_START - This defines the parameters for a delay pool. Each delay pool has - a number of "buckets" associated with it, as explained in the - description of delay_class. For a class 1 delay pool, the syntax is: - -delay_parameters pool aggregate - - For a class 2 delay pool: - -delay_parameters pool aggregate individual - - For a class 3 delay pool: - -delay_parameters pool aggregate network individual - - For a class 4 delay pool: - -delay_parameters pool aggregate network individual user - - For a class 5 delay pool: - -delay_parameters pool tag - - The variables here are: - - pool a pool number - ie, a number between 1 and the - number specified in delay_pools as used in - delay_class lines. - - aggregate the "delay parameters" for the aggregate bucket - (class 1, 2, 3). - - individual the "delay parameters" for the individual - buckets (class 2, 3). - - network the "delay parameters" for the network buckets - (class 3). - - user the delay parameters for the user buckets - (class 4). - - tag the delay parameters for the tag buckets - (class 5). - - A pair of delay parameters is written restore/maximum, where restore is - the number of bytes (not bits - modem and network speeds are usually - quoted in bits) per second placed into the bucket, and maximum is the - maximum number of bytes which can be in the bucket at any time. - - For example, if delay pool number 1 is a class 2 delay pool as in the - above example, and is being used to strictly limit each host to 64kbps - (plus overheads), with no overall limit, the line is: - -delay_parameters 1 -1/-1 8000/8000 - - Note that the figure -1 is used to represent "unlimited". - - And, if delay pool number 2 is a class 3 delay pool as in the above - example, and you want to limit it to a total of 256kbps (strict limit) - with each 8-bit network permitted 64kbps (strict limit) and each - individual host permitted 4800bps with a bucket maximum size of 64kb - to permit a decent web page to be downloaded at a decent speed - (if the network is not being limited due to overuse) but slow down - large downloads more significantly: - -delay_parameters 2 32000/32000 8000/8000 600/8000 - - There must be one delay_parameters line for each delay pool. - - Finally, for a class 4 delay pool as in the example - each user will - be limited to 128Kb no matter how many workstations they are logged into.: - -delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 -DOC_END - -NAME: delay_initial_bucket_level -COMMENT: (percent, 0-100) -TYPE: ushort -DEFAULT: 50 -IFDEF: DELAY_POOLS -LOC: Config.Delay.initial -DOC_START - The initial bucket percentage is used to determine how much is put - in each bucket when squid starts, is reconfigured, or first notices - a host accessing it (in class 2 and class 3, individual hosts and - networks only have buckets associated with them once they have been - "seen" by squid). -DOC_END - -COMMENT_START - WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: wccp_router -TYPE: address -LOC: Config.Wccp.router -DEFAULT: any_addr -IFDEF: USE_WCCP -DOC_START - Use this option to define your WCCP ``home'' router for - Squid. - - wccp_router supports a single WCCP(v1) router - - wccp2_router supports multiple WCCPv2 routers - - only one of the two may be used at the same time and defines - which version of WCCP to use. -DOC_END - -NAME: wccp2_router -TYPE: IpAddress_list -LOC: Config.Wccp2.router -DEFAULT: none -IFDEF: USE_WCCPv2 -DOC_START - Use this option to define your WCCP ``home'' router for - Squid. - - wccp_router supports a single WCCP(v1) router - - wccp2_router supports multiple WCCPv2 routers - - only one of the two may be used at the same time and defines - which version of WCCP to use. -DOC_END - -NAME: wccp_version -TYPE: int -LOC: Config.Wccp.version -DEFAULT: 4 -IFDEF: USE_WCCP -DOC_START - This directive is only relevant if you need to set up WCCP(v1) - to some very old and end-of-life Cisco routers. In all other - setups it must be left unset or at the default setting. - It defines an internal version in the WCCP(v1) protocol, - with version 4 being the officially documented protocol. - - According to some users, Cisco IOS 11.2 and earlier only - support WCCP version 3. If you're using that or an earlier - version of IOS, you may need to change this value to 3, otherwise - do not specify this parameter. -DOC_END - -NAME: wccp2_rebuild_wait -TYPE: onoff -LOC: Config.Wccp2.rebuildwait -DEFAULT: on -IFDEF: USE_WCCPv2 -DOC_START - If this is enabled Squid will wait for the cache dir rebuild to finish - before sending the first wccp2 HereIAm packet -DOC_END - -NAME: wccp2_forwarding_method -TYPE: wccp2_method -LOC: Config.Wccp2.forwarding_method -DEFAULT: gre -IFDEF: USE_WCCPv2 -DOC_START - WCCP2 allows the setting of forwarding methods between the - router/switch and the cache. Valid values are as follows: - - gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) - l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) - - Currently (as of IOS 12.4) cisco routers only support GRE. - Cisco switches only support the L2 redirect assignment method. -DOC_END - -NAME: wccp2_return_method -TYPE: wccp2_method -LOC: Config.Wccp2.return_method -DEFAULT: gre -IFDEF: USE_WCCPv2 -DOC_START - WCCP2 allows the setting of return methods between the - router/switch and the cache for packets that the cache - decides not to handle. Valid values are as follows: - - gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) - l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) - - Currently (as of IOS 12.4) cisco routers only support GRE. - Cisco switches only support the L2 redirect assignment. - - If the "ip wccp redirect exclude in" command has been - enabled on the cache interface, then it is still safe for - the proxy server to use a l2 redirect method even if this - option is set to GRE. -DOC_END - -NAME: wccp2_assignment_method -TYPE: wccp2_amethod -LOC: Config.Wccp2.assignment_method -DEFAULT: hash -IFDEF: USE_WCCPv2 -DOC_START - WCCP2 allows the setting of methods to assign the WCCP hash - Valid values are as follows: - - hash - Hash assignment - mask - Mask assignment - - As a general rule, cisco routers support the hash assignment method - and cisco switches support the mask assignment method. -DOC_END - -NAME: wccp2_service -TYPE: wccp2_service -LOC: Config.Wccp2.info -DEFAULT: none -DEFAULT_IF_NONE: standard 0 -IFDEF: USE_WCCPv2 -DOC_START - WCCP2 allows for multiple traffic services. There are two - types: "standard" and "dynamic". The standard type defines - one service id - http (id 0). The dynamic service ids can be from - 51 to 255 inclusive. In order to use a dynamic service id - one must define the type of traffic to be redirected; this is done - using the wccp2_service_info option. - - The "standard" type does not require a wccp2_service_info option, - just specifying the service id will suffice. - - MD5 service authentication can be enabled by adding - "password=" to the end of this service declaration. - - Examples: - - wccp2_service standard 0 # for the 'web-cache' standard service - wccp2_service dynamic 80 # a dynamic service type which will be - # fleshed out with subsequent options. - wccp2_service standard 0 password=foo -DOC_END - -NAME: wccp2_service_info -TYPE: wccp2_service_info -LOC: Config.Wccp2.info -DEFAULT: none -IFDEF: USE_WCCPv2 -DOC_START - Dynamic WCCPv2 services require further information to define the - traffic you wish to have diverted. - - The format is: - - wccp2_service_info protocol= flags=,.. - priority= ports=,.. - - The relevant WCCPv2 flags: - + src_ip_hash, dst_ip_hash - + source_port_hash, dst_port_hash - + src_ip_alt_hash, dst_ip_alt_hash - + src_port_alt_hash, dst_port_alt_hash - + ports_source - - The port list can be one to eight entries. - - Example: - - wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source - priority=240 ports=80 - - Note: the service id must have been defined by a previous - 'wccp2_service dynamic ' entry. -DOC_END - -NAME: wccp2_weight -TYPE: int -LOC: Config.Wccp2.weight -DEFAULT: 10000 -IFDEF: USE_WCCPv2 -DOC_START - Each cache server gets assigned a set of the destination - hash proportional to their weight. -DOC_END - -NAME: wccp_address -TYPE: address -LOC: Config.Wccp.address -DEFAULT: 0.0.0.0 -IFDEF: USE_WCCP -DOC_NONE - -NAME: wccp2_address -TYPE: address -LOC: Config.Wccp2.address -DEFAULT: 0.0.0.0 -IFDEF: USE_WCCPv2 -DOC_START - Use this option if you require WCCP to use a specific - interface address. - - The default behavior is to not bind to any specific address. -DOC_END - -COMMENT_START - PERSISTENT CONNECTION HANDLING - ----------------------------------------------------------------------------- - - Also see "pconn_timeout" in the TIMEOUTS section -COMMENT_END - -NAME: client_persistent_connections -TYPE: onoff -LOC: Config.onoff.client_pconns -DEFAULT: on -DOC_NONE - -NAME: server_persistent_connections -TYPE: onoff -LOC: Config.onoff.server_pconns -DEFAULT: on -DOC_START - Persistent connection support for clients and servers. By - default, Squid uses persistent connections (when allowed) - with its clients and servers. You can use these options to - disable persistent connections with clients and/or servers. -DOC_END - -NAME: persistent_connection_after_error -TYPE: onoff -LOC: Config.onoff.error_pconns -DEFAULT: off -DOC_START - With this directive the use of persistent connections after - HTTP errors can be disabled. Useful if you have clients - who fail to handle errors on persistent connections proper. -DOC_END - -NAME: detect_broken_pconn -TYPE: onoff -LOC: Config.onoff.detect_broken_server_pconns -DEFAULT: off -DOC_START - Some servers have been found to incorrectly signal the use - of HTTP/1.0 persistent connections even on replies not - compatible, causing significant delays. This server problem - has mostly been seen on redirects. - - By enabling this directive Squid attempts to detect such - broken replies and automatically assume the reply is finished - after 10 seconds timeout. -DOC_END - -COMMENT_START - CACHE DIGEST OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: digest_generation -IFDEF: USE_CACHE_DIGESTS -TYPE: onoff -LOC: Config.onoff.digest_generation -DEFAULT: on -DOC_START - This controls whether the server will generate a Cache Digest - of its contents. By default, Cache Digest generation is - enabled if Squid is compiled with --enable-cache-digests defined. -DOC_END - -NAME: digest_bits_per_entry -IFDEF: USE_CACHE_DIGESTS -TYPE: int -LOC: Config.digest.bits_per_entry -DEFAULT: 5 -DOC_START - This is the number of bits of the server's Cache Digest which - will be associated with the Digest entry for a given HTTP - Method and URL (public key) combination. The default is 5. -DOC_END - -NAME: digest_rebuild_period -IFDEF: USE_CACHE_DIGESTS -COMMENT: (seconds) -TYPE: time_t -LOC: Config.digest.rebuild_period -DEFAULT: 1 hour -DOC_START - This is the wait time between Cache Digest rebuilds. -DOC_END - -NAME: digest_rewrite_period -COMMENT: (seconds) -IFDEF: USE_CACHE_DIGESTS -TYPE: time_t -LOC: Config.digest.rewrite_period -DEFAULT: 1 hour -DOC_START - This is the wait time between Cache Digest writes to - disk. -DOC_END - -NAME: digest_swapout_chunk_size -COMMENT: (bytes) -TYPE: b_size_t -IFDEF: USE_CACHE_DIGESTS -LOC: Config.digest.swapout_chunk_size -DEFAULT: 4096 bytes -DOC_START - This is the number of bytes of the Cache Digest to write to - disk at a time. It defaults to 4096 bytes (4KB), the Squid - default swap page. -DOC_END - -NAME: digest_rebuild_chunk_percentage -COMMENT: (percent, 0-100) -IFDEF: USE_CACHE_DIGESTS -TYPE: int -LOC: Config.digest.rebuild_chunk_percentage -DEFAULT: 10 -DOC_START - This is the percentage of the Cache Digest to be scanned at a - time. By default it is set to 10% of the Cache Digest. -DOC_END - -COMMENT_START - SNMP OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: snmp_port -TYPE: ushort -LOC: Config.Port.snmp -DEFAULT: 0 -IFDEF: SQUID_SNMP -DOC_START - The port number where Squid listens for SNMP requests. To enable - SNMP support set this to a suitable port number. Port number - 3401 is often used for the Squid SNMP agent. By default it's - set to "0" (disabled) - - Example: - snmp_port 3401 -DOC_END - -NAME: snmp_access -TYPE: acl_access -LOC: Config.accessList.snmp -DEFAULT: none -DEFAULT_IF_NONE: deny all -IFDEF: SQUID_SNMP -DOC_START - Allowing or denying access to the SNMP port. - - All access to the agent is denied by default. - usage: - - snmp_access allow|deny [!]aclname ... - - This clause only supports fast acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -Example: - snmp_access allow snmppublic localhost - snmp_access deny all -DOC_END - -NAME: snmp_incoming_address -TYPE: address -LOC: Config.Addrs.snmp_incoming -DEFAULT: any_addr -IFDEF: SQUID_SNMP -DOC_NONE - -NAME: snmp_outgoing_address -TYPE: address -LOC: Config.Addrs.snmp_outgoing -DEFAULT: no_addr -IFDEF: SQUID_SNMP -DOC_START - Just like 'udp_incoming_address', but for the SNMP port. - - snmp_incoming_address is used for the SNMP socket receiving - messages from SNMP agents. - snmp_outgoing_address is used for SNMP packets returned to SNMP - agents. - - The default snmp_incoming_address is to listen on all - available network interfaces. - - If snmp_outgoing_address is not set it will use the same socket - as snmp_incoming_address. Only change this if you want to have - SNMP replies sent using another address than where this Squid - listens for SNMP queries. - - NOTE, snmp_incoming_address and snmp_outgoing_address can not have - the same value since they both use port 3401. -DOC_END - -COMMENT_START - ICP OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: icp_port udp_port -TYPE: ushort -DEFAULT: 0 -LOC: Config.Port.icp -DOC_START - The port number where Squid sends and receives ICP queries to - and from neighbor caches. The standard UDP port for ICP is 3130. - Default is disabled (0). - - Example: - icp_port @DEFAULT_ICP_PORT@ -DOC_END - -NAME: htcp_port -IFDEF: USE_HTCP -TYPE: ushort -DEFAULT: 0 -LOC: Config.Port.htcp -DOC_START - The port number where Squid sends and receives HTCP queries to - and from neighbor caches. To turn it on you want to set it to - 4827. By default it is set to "0" (disabled). - - Example: - htcp_port 4827 -DOC_END - -NAME: log_icp_queries -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.log_udp -DOC_START - If set, ICP queries are logged to access.log. You may wish - do disable this if your ICP load is VERY high to speed things - up or to simplify log analysis. -DOC_END - -NAME: udp_incoming_address -TYPE: address -LOC:Config.Addrs.udp_incoming -DEFAULT: any_addr -DOC_START - udp_incoming_address is used for UDP packets received from other - caches. - - The default behavior is to not bind to any specific address. - - Only change this if you want to have all UDP queries received on - a specific interface/address. - - NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS - modules. Altering it will affect all of them in the same manner. - - see also; udp_outgoing_address - - NOTE, udp_incoming_address and udp_outgoing_address can not - have the same value since they both use the same port. -DOC_END - -NAME: udp_outgoing_address -TYPE: address -LOC: Config.Addrs.udp_outgoing -DEFAULT: no_addr -DOC_START - udp_outgoing_address is used for UDP packets sent out to other - caches. - - The default behavior is to not bind to any specific address. - - Instead it will use the same socket as udp_incoming_address. - Only change this if you want to have UDP queries sent using another - address than where this Squid listens for UDP queries from other - caches. - - NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS - modules. Altering it will affect all of them in the same manner. - - see also; udp_incoming_address - - NOTE, udp_incoming_address and udp_outgoing_address can not - have the same value since they both use the same port. -DOC_END - -NAME: icp_hit_stale -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.icp_hit_stale -DOC_START - If you want to return ICP_HIT for stale cache objects, set this - option to 'on'. If you have sibling relationships with caches - in other administrative domains, this should be 'off'. If you only - have sibling relationships with caches under your control, - it is probably okay to set this to 'on'. - If set to 'on', your siblings should use the option "allow-miss" - on their cache_peer lines for connecting to you. -DOC_END - -NAME: minimum_direct_hops -TYPE: int -DEFAULT: 4 -LOC: Config.minDirectHops -DOC_START - If using the ICMP pinging stuff, do direct fetches for sites - which are no more than this many hops away. -DOC_END - -NAME: minimum_direct_rtt -TYPE: int -DEFAULT: 400 -LOC: Config.minDirectRtt -DOC_START - If using the ICMP pinging stuff, do direct fetches for sites - which are no more than this many rtt milliseconds away. -DOC_END - -NAME: netdb_low -TYPE: int -DEFAULT: 900 -LOC: Config.Netdb.low -DOC_NONE - -NAME: netdb_high -TYPE: int -DEFAULT: 1000 -LOC: Config.Netdb.high -DOC_START - The low and high water marks for the ICMP measurement - database. These are counts, not percents. The defaults are - 900 and 1000. When the high water mark is reached, database - entries will be deleted until the low mark is reached. -DOC_END - -NAME: netdb_ping_period -TYPE: time_t -LOC: Config.Netdb.period -DEFAULT: 5 minutes -DOC_START - The minimum period for measuring a site. There will be at - least this much delay between successive pings to the same - network. The default is five minutes. -DOC_END - -NAME: query_icmp -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.query_icmp -DOC_START - If you want to ask your peers to include ICMP data in their ICP - replies, enable this option. - - If your peer has configured Squid (during compilation) with - '--enable-icmp' that peer will send ICMP pings to origin server - sites of the URLs it receives. If you enable this option the - ICP replies from that peer will include the ICMP data (if available). - Then, when choosing a parent cache, Squid will choose the parent with - the minimal RTT to the origin server. When this happens, the - hierarchy field of the access.log will be - "CLOSEST_PARENT_MISS". This option is off by default. -DOC_END - -NAME: test_reachability -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.test_reachability -DOC_START - When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH - instead of ICP_MISS if the target host is NOT in the ICMP - database, or has a zero RTT. -DOC_END - -NAME: icp_query_timeout -COMMENT: (msec) -DEFAULT: 0 -TYPE: int -LOC: Config.Timeout.icp_query -DOC_START - Normally Squid will automatically determine an optimal ICP - query timeout value based on the round-trip-time of recent ICP - queries. If you want to override the value determined by - Squid, set this 'icp_query_timeout' to a non-zero value. This - value is specified in MILLISECONDS, so, to use a 2-second - timeout (the old default), you would write: - - icp_query_timeout 2000 -DOC_END - -NAME: maximum_icp_query_timeout -COMMENT: (msec) -DEFAULT: 2000 -TYPE: int -LOC: Config.Timeout.icp_query_max -DOC_START - Normally the ICP query timeout is determined dynamically. But - sometimes it can lead to very large values (say 5 seconds). - Use this option to put an upper limit on the dynamic timeout - value. Do NOT use this option to always use a fixed (instead - of a dynamic) timeout value. To set a fixed timeout see the - 'icp_query_timeout' directive. -DOC_END - -NAME: minimum_icp_query_timeout -COMMENT: (msec) -DEFAULT: 5 -TYPE: int -LOC: Config.Timeout.icp_query_min -DOC_START - Normally the ICP query timeout is determined dynamically. But - sometimes it can lead to very small timeouts, even lower than - the normal latency variance on your link due to traffic. - Use this option to put an lower limit on the dynamic timeout - value. Do NOT use this option to always use a fixed (instead - of a dynamic) timeout value. To set a fixed timeout see the - 'icp_query_timeout' directive. -DOC_END - -NAME: background_ping_rate -COMMENT: time-units -TYPE: time_t -DEFAULT: 10 seconds -LOC: Config.backgroundPingRate -DOC_START - Controls how often the ICP pings are sent to siblings that - have background-ping set. -DOC_END - -COMMENT_START - MULTICAST ICP OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: mcast_groups -TYPE: wordlist -LOC: Config.mcast_group_list -DEFAULT: none -DOC_START - This tag specifies a list of multicast groups which your server - should join to receive multicasted ICP queries. - - NOTE! Be very careful what you put here! Be sure you - understand the difference between an ICP _query_ and an ICP - _reply_. This option is to be set only if you want to RECEIVE - multicast queries. Do NOT set this option to SEND multicast - ICP (use cache_peer for that). ICP replies are always sent via - unicast, so this option does not affect whether or not you will - receive replies from multicast group members. - - You must be very careful to NOT use a multicast address which - is already in use by another group of caches. - - If you are unsure about multicast, please read the Multicast - chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). - - Usage: mcast_groups 239.128.16.128 224.0.1.20 - - By default, Squid doesn't listen on any multicast groups. -DOC_END - -NAME: mcast_miss_addr -IFDEF: MULTICAST_MISS_STREAM -TYPE: address -LOC: Config.mcast_miss.addr -DEFAULT: no_addr -DOC_START - If you enable this option, every "cache miss" URL will - be sent out on the specified multicast address. - - Do not enable this option unless you are are absolutely - certain you understand what you are doing. -DOC_END - -NAME: mcast_miss_ttl -IFDEF: MULTICAST_MISS_STREAM -TYPE: ushort -LOC: Config.mcast_miss.ttl -DEFAULT: 16 -DOC_START - This is the time-to-live value for packets multicasted - when multicasting off cache miss URLs is enabled. By - default this is set to 'site scope', i.e. 16. -DOC_END - -NAME: mcast_miss_port -IFDEF: MULTICAST_MISS_STREAM -TYPE: ushort -LOC: Config.mcast_miss.port -DEFAULT: 3135 -DOC_START - This is the port number to be used in conjunction with - 'mcast_miss_addr'. -DOC_END - -NAME: mcast_miss_encode_key -IFDEF: MULTICAST_MISS_STREAM -TYPE: string -LOC: Config.mcast_miss.encode_key -DEFAULT: XXXXXXXXXXXXXXXX -DOC_START - The URLs that are sent in the multicast miss stream are - encrypted. This is the encryption key. -DOC_END - -NAME: mcast_icp_query_timeout -COMMENT: (msec) -DEFAULT: 2000 -TYPE: int -LOC: Config.Timeout.mcast_icp_query -DOC_START - For multicast peers, Squid regularly sends out ICP "probes" to - count how many other peers are listening on the given multicast - address. This value specifies how long Squid should wait to - count all the replies. The default is 2000 msec, or 2 - seconds. -DOC_END - -COMMENT_START - INTERNAL ICON OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: icon_directory -TYPE: string -LOC: Config.icons.directory -DEFAULT: @DEFAULT_ICON_DIR@ -DOC_START - Where the icons are stored. These are normally kept in - @DEFAULT_ICON_DIR@ -DOC_END - -NAME: global_internal_static -TYPE: onoff -LOC: Config.onoff.global_internal_static -DEFAULT: on -DOC_START - This directive controls is Squid should intercept all requests for - /squid-internal-static/ no matter which host the URL is requesting - (default on setting), or if nothing special should be done for - such URLs (off setting). The purpose of this directive is to make - icons etc work better in complex cache hierarchies where it may - not always be possible for all corners in the cache mesh to reach - the server generating a directory listing. -DOC_END - -NAME: short_icon_urls -TYPE: onoff -LOC: Config.icons.use_short_names -DEFAULT: on -DOC_START - If this is enabled Squid will use short URLs for icons. - If disabled it will revert to the old behavior of including - it's own name and port in the URL. - - If you run a complex cache hierarchy with a mix of Squid and - other proxies you may need to disable this directive. -DOC_END - -COMMENT_START - ERROR PAGE OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: error_directory -TYPE: string -LOC: Config.errorDirectory -DEFAULT: none -DOC_START - If you wish to create your own versions of the default - error files to customize them to suit your company copy - the error/template files to another directory and point - this tag at them. - - WARNING: This option will disable multi-language support - on error pages if used. - - The squid developers are interested in making squid available in - a wide variety of languages. If you are making translations for a - language that Squid does not currently provide please consider - contributing your translation back to the project. - http://wiki.squid-cache.org/Translations - - The squid developers working on translations are happy to supply drop-in - translated error files in exchange for any new language contributions. -DOC_END - -NAME: error_default_language -IFDEF: USE_ERR_LOCALES -TYPE: string -LOC: Config.errorDefaultLanguage -DEFAULT: none -DOC_START - Set the default language which squid will send error pages in - if no existing translation matches the clients language - preferences. - - If unset (default) generic English will be used. - - The squid developers are interested in making squid available in - a wide variety of languages. If you are interested in making - translations for any language see the squid wiki for details. - http://wiki.squid-cache.org/Translations -DOC_END - -NAME: error_log_languages -IFDEF: USE_ERR_LOCALES -TYPE: onoff -LOC: Config.errorLogMissingLanguages -DEFAULT: on -DOC_START - Log to cache.log what languages users are attempting to - auto-negotiate for translations. - - Successful negotiations are not logged. Only failures - have meaning to indicate that Squid may need an upgrade - of its error page translations. -DOC_END - -NAME: err_page_stylesheet -TYPE: string -LOC: Config.errorStylesheet -DEFAULT: @DEFAULT_CONFIG_DIR@/errorpage.css -DOC_START - CSS Stylesheet to pattern the display of Squid default error pages. - - For information on CSS see http://www.w3.org/Style/CSS/ -DOC_END - -NAME: err_html_text -TYPE: eol -LOC: Config.errHtmlText -DEFAULT: none -DOC_START - HTML text to include in error messages. Make this a "mailto" - URL to your admin address, or maybe just a link to your - organizations Web page. - - To include this in your error messages, you must rewrite - the error template files (found in the "errors" directory). - Wherever you want the 'err_html_text' line to appear, - insert a %L tag in the error template file. -DOC_END - -NAME: email_err_data -COMMENT: on|off -TYPE: onoff -LOC: Config.onoff.emailErrData -DEFAULT: on -DOC_START - If enabled, information about the occurred error will be - included in the mailto links of the ERR pages (if %W is set) - so that the email body contains the data. - Syntax is %w -DOC_END - -NAME: deny_info -TYPE: denyinfo -LOC: Config.denyInfoList -DEFAULT: none -DOC_START - Usage: deny_info err_page_name acl - or deny_info http://... acl - or deny_info TCP_RESET acl - - This can be used to return a ERR_ page for requests which - do not pass the 'http_access' rules. Squid remembers the last - acl it evaluated in http_access, and if a 'deny_info' line exists - for that ACL Squid returns a corresponding error page. - - The acl is typically the last acl on the http_access deny line which - denied access. The exceptions to this rule are: - - When Squid needs to request authentication credentials. It's then - the first authentication related acl encountered - - When none of the http_access lines matches. It's then the last - acl processed on the last http_access line. - - NP: If providing your own custom error pages with error_directory - you may also specify them by your custom file name: - Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys - - Alternatively you can tell Squid to reset the TCP connection - by specifying TCP_RESET. - - Or you can specify an error URL or URL pattern. The browsers will - get redirected (302) to the specified URL after formattgin tags have - been replaced. - - URL FORMAT TAGS: - %a - username (if available. Password NOT included) - %B - FTP path URL - %e - Error number - %E - Error description - %h - Squid hostname - %H - Request domain name - %i - Client IP Address - %M - Request Method - %o - Message result from external ACL helper - %p - Request Port number - %P - Request Protocol name - %R - Request URL path - %T - Timestamp in RFC 1123 format - %U - Full canonical URL from client - (HTTPS URLs terminate with *) - %u - Full canonical URL from client - %w - Admin email from squid.conf - %% - Literal percent (%) code - -DOC_END - -COMMENT_START - OPTIONS INFLUENCING REQUEST FORWARDING - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: nonhierarchical_direct -TYPE: onoff -LOC: Config.onoff.nonhierarchical_direct -DEFAULT: on -DOC_START - By default, Squid will send any non-hierarchical requests - (matching hierarchy_stoplist or not cacheable request type) direct - to origin servers. - - If you set this to off, Squid will prefer to send these - requests to parents. - - Note that in most configurations, by turning this off you will only - add latency to these request without any improvement in global hit - ratio. - - If you are inside an firewall see never_direct instead of - this directive. -DOC_END - -NAME: prefer_direct -TYPE: onoff -LOC: Config.onoff.prefer_direct -DEFAULT: off -DOC_START - Normally Squid tries to use parents for most requests. If you for some - reason like it to first try going direct and only use a parent if - going direct fails set this to on. - - By combining nonhierarchical_direct off and prefer_direct on you - can set up Squid to use a parent as a backup path if going direct - fails. - - Note: If you want Squid to use parents for all requests see - the never_direct directive. prefer_direct only modifies how Squid - acts on cacheable requests. -DOC_END - -NAME: always_direct -TYPE: acl_access -LOC: Config.accessList.AlwaysDirect -DEFAULT: none -DOC_START - Usage: always_direct allow|deny [!]aclname ... - - Here you can use ACL elements to specify requests which should - ALWAYS be forwarded by Squid to the origin servers without using - any peers. For example, to always directly forward requests for - local servers ignoring any parents or siblings you may have use - something like: - - acl local-servers dstdomain my.domain.net - always_direct allow local-servers - - To always forward FTP requests directly, use - - acl FTP proto FTP - always_direct allow FTP - - NOTE: There is a similar, but opposite option named - 'never_direct'. You need to be aware that "always_direct deny - foo" is NOT the same thing as "never_direct allow foo". You - may need to use a deny rule to exclude a more-specific case of - some other rule. Example: - - acl local-external dstdomain external.foo.net - acl local-servers dstdomain .foo.net - always_direct deny local-external - always_direct allow local-servers - - NOTE: If your goal is to make the client forward the request - directly to the origin server bypassing Squid then this needs - to be done in the client configuration. Squid configuration - can only tell Squid how Squid should fetch the object. - - NOTE: This directive is not related to caching. The replies - is cached as usual even if you use always_direct. To not cache - the replies see the 'cache' directive. - - This clause supports both fast and slow acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -DOC_END - -NAME: never_direct -TYPE: acl_access -LOC: Config.accessList.NeverDirect -DEFAULT: none -DOC_START - Usage: never_direct allow|deny [!]aclname ... - - never_direct is the opposite of always_direct. Please read - the description for always_direct if you have not already. - - With 'never_direct' you can use ACL elements to specify - requests which should NEVER be forwarded directly to origin - servers. For example, to force the use of a proxy for all - requests, except those in your local domain use something like: - - acl local-servers dstdomain .foo.net - never_direct deny local-servers - never_direct allow all - - or if Squid is inside a firewall and there are local intranet - servers inside the firewall use something like: - - acl local-intranet dstdomain .foo.net - acl local-external dstdomain external.foo.net - always_direct deny local-external - always_direct allow local-intranet - never_direct allow all - - This clause supports both fast and slow acl types. - See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -DOC_END - -COMMENT_START - ADVANCED NETWORKING OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: incoming_icp_average -TYPE: int -DEFAULT: 6 -LOC: Config.comm_incoming.icp_average -DOC_NONE - -NAME: incoming_http_average -TYPE: int -DEFAULT: 4 -LOC: Config.comm_incoming.http_average -DOC_NONE - -NAME: incoming_dns_average -TYPE: int -DEFAULT: 4 -LOC: Config.comm_incoming.dns_average -DOC_NONE - -NAME: min_icp_poll_cnt -TYPE: int -DEFAULT: 8 -LOC: Config.comm_incoming.icp_min_poll -DOC_NONE - -NAME: min_dns_poll_cnt -TYPE: int -DEFAULT: 8 -LOC: Config.comm_incoming.dns_min_poll -DOC_NONE - -NAME: min_http_poll_cnt -TYPE: int -DEFAULT: 8 -LOC: Config.comm_incoming.http_min_poll -DOC_START - Heavy voodoo here. I can't even believe you are reading this. - Are you crazy? Don't even think about adjusting these unless - you understand the algorithms in comm_select.c first! -DOC_END - -NAME: accept_filter -TYPE: string -DEFAULT: none -LOC: Config.accept_filter -DOC_START - FreeBSD: - - The name of an accept(2) filter to install on Squid's - listen socket(s). This feature is perhaps specific to - FreeBSD and requires support in the kernel. - - The 'httpready' filter delays delivering new connections - to Squid until a full HTTP request has been received. - See the accf_http(9) man page for details. - - The 'dataready' filter delays delivering new connections - to Squid until there is some data to process. - See the accf_dataready(9) man page for details. - - Linux: - - The 'data' filter delays delivering of new connections - to Squid until there is some data to process by TCP_ACCEPT_DEFER. - You may optionally specify a number of seconds to wait by - 'data=N' where N is the number of seconds. Defaults to 30 - if not specified. See the tcp(7) man page for details. -EXAMPLE: -# FreeBSD -accept_filter httpready -# Linux -accept_filter data -DOC_END - -NAME: client_ip_max_connections -TYPE: int -LOC: Config.client_ip_max_connections -DEFAULT: -1 -DOC_START - Set an absolute limit on the number of connections a single - client IP can use. Any more than this and Squid will begin to drop - new connections from the client until it closes some links. - - Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP - connections from the client. For finer control use the ACL access controls. - - Requires client_db to be enabled (the default). - - WARNING: This may noticably slow down traffic received via external proxies - or NAT devices and cause them to rebound error messages back to their clients. -DOC_END - -NAME: tcp_recv_bufsize -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 0 bytes -LOC: Config.tcpRcvBufsz -DOC_START - Size of receive buffer to set for TCP sockets. Probably just - as easy to change your kernel's default. Set to zero to use - the default buffer size. -DOC_END - -COMMENT_START - ICAP OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: icap_enable -TYPE: onoff -IFDEF: ICAP_CLIENT -COMMENT: on|off -LOC: Adaptation::Icap::TheConfig.onoff -DEFAULT: off -DOC_START - If you want to enable the ICAP module support, set this to on. -DOC_END - -NAME: icap_connect_timeout -TYPE: time_t -DEFAULT: none -LOC: Adaptation::Icap::TheConfig.connect_timeout_raw -IFDEF: ICAP_CLIENT -DOC_START - This parameter specifies how long to wait for the TCP connect to - the requested ICAP server to complete before giving up and either - terminating the HTTP transaction or bypassing the failure. - - The default for optional services is peer_connect_timeout. - The default for essential services is connect_timeout. - If this option is explicitly set, its value applies to all services. -DOC_END - -NAME: icap_io_timeout -COMMENT: time-units -TYPE: time_t -DEFAULT: none -LOC: Adaptation::Icap::TheConfig.io_timeout_raw -IFDEF: ICAP_CLIENT -DOC_START - This parameter specifies how long to wait for an I/O activity on - an established, active ICAP connection before giving up and - either terminating the HTTP transaction or bypassing the - failure. - - The default is read_timeout. -DOC_END - -NAME: icap_service_failure_limit -COMMENT: limit [in memory-depth time-units] -TYPE: icap_service_failure_limit -IFDEF: ICAP_CLIENT -LOC: Adaptation::Icap::TheConfig -DEFAULT: 10 -DOC_START - The limit specifies the number of failures that Squid tolerates - when establishing a new TCP connection with an ICAP service. If - the number of failures exceeds the limit, the ICAP service is - not used for new ICAP requests until it is time to refresh its - OPTIONS. - - A negative value disables the limit. Without the limit, an ICAP - service will not be considered down due to connectivity failures - between ICAP OPTIONS requests. - - Squid forgets ICAP service failures older than the specified - value of memory-depth. The memory fading algorithm - is approximate because Squid does not remember individual - errors but groups them instead, splitting the option - value into ten time slots of equal length. - - When memory-depth is 0 and by default this option has no - effect on service failure expiration. - - Squid always forgets failures when updating service settings - using an ICAP OPTIONS transaction, regardless of this option - setting. - - For example, - # suspend service usage after 10 failures in 5 seconds: - icap_service_failure_limit 10 in 5 seconds -DOC_END - -NAME: icap_service_revival_delay -TYPE: int -IFDEF: ICAP_CLIENT -LOC: Adaptation::Icap::TheConfig.service_revival_delay -DEFAULT: 180 -DOC_START - The delay specifies the number of seconds to wait after an ICAP - OPTIONS request failure before requesting the options again. The - failed ICAP service is considered "down" until fresh OPTIONS are - fetched. - - The actual delay cannot be smaller than the hardcoded minimum - delay of 30 seconds. -DOC_END - -NAME: icap_preview_enable -TYPE: onoff -IFDEF: ICAP_CLIENT -COMMENT: on|off -LOC: Adaptation::Icap::TheConfig.preview_enable -DEFAULT: on -DOC_START - The ICAP Preview feature allows the ICAP server to handle the - HTTP message by looking only at the beginning of the message body - or even without receiving the body at all. In some environments, - previews greatly speedup ICAP processing. - - During an ICAP OPTIONS transaction, the server may tell Squid what - HTTP messages should be previewed and how big the preview should be. - Squid will not use Preview if the server did not request one. - - To disable ICAP Preview for all ICAP services, regardless of - individual ICAP server OPTIONS responses, set this option to "off". -Example: -icap_preview_enable off -DOC_END - -NAME: icap_preview_size -TYPE: int -IFDEF: ICAP_CLIENT -LOC: Adaptation::Icap::TheConfig.preview_size -DEFAULT: -1 -DOC_START - The default size of preview data to be sent to the ICAP server. - -1 means no preview. This value might be overwritten on a per server - basis by OPTIONS requests. -DOC_END - -NAME: icap_default_options_ttl -TYPE: int -IFDEF: ICAP_CLIENT -LOC: Adaptation::Icap::TheConfig.default_options_ttl -DEFAULT: 60 -DOC_START - The default TTL value for ICAP OPTIONS responses that don't have - an Options-TTL header. -DOC_END - -NAME: icap_persistent_connections -TYPE: onoff -IFDEF: ICAP_CLIENT -COMMENT: on|off -LOC: Adaptation::Icap::TheConfig.reuse_connections -DEFAULT: on -DOC_START - Whether or not Squid should use persistent connections to - an ICAP server. -DOC_END - -NAME: icap_send_client_ip -TYPE: onoff -IFDEF: ICAP_CLIENT -COMMENT: on|off -LOC: Adaptation::Icap::TheConfig.send_client_ip -DEFAULT: off -DOC_START - This adds the header "X-Client-IP" to ICAP requests. -DOC_END - -NAME: icap_send_client_username -TYPE: onoff -IFDEF: ICAP_CLIENT -COMMENT: on|off -LOC: Adaptation::Icap::TheConfig.send_client_username -DEFAULT: off -DOC_START - This sends authenticated HTTP client username (if available) to - the ICAP service. The username value is encoded based on the - icap_client_username_encode option and is sent using the header - specified by the icap_client_username_header option. -DOC_END - -NAME: icap_client_username_header -TYPE: string -IFDEF: ICAP_CLIENT -LOC: Adaptation::Icap::TheConfig.client_username_header -DEFAULT: X-Client-Username -DOC_START - ICAP request header name to use for send_client_username. -DOC_END - -NAME: icap_client_username_encode -TYPE: onoff -IFDEF: ICAP_CLIENT -COMMENT: on|off -LOC: Adaptation::Icap::TheConfig.client_username_encode -DEFAULT: off -DOC_START - Whether to base64 encode the authenticated client username. -DOC_END - -NAME: icap_service -TYPE: icap_service_type -IFDEF: ICAP_CLIENT -LOC: Adaptation::Icap::TheConfig -DEFAULT: none -DOC_START - Defines a single ICAP service using the following format: - - icap_service service_name vectoring_point [options] service_url - - service_name: ID - an opaque identifier which must be unique in squid.conf - - vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache - This specifies at which point of transaction processing the - ICAP service should be activated. *_postcache vectoring points - are not yet supported. - - service_url: icap://servername:port/servicepath - ICAP server and service location. - - ICAP does not allow a single service to handle both REQMOD and RESPMOD - transactions. Squid does not enforce that requirement. You can specify - services with the same service_url and different vectoring_points. You - can even specify multiple identical services as long as their - service_names differ. - - - Service options are separated by white space. ICAP services support - the following name=value options: - - bypass=on|off|1|0 - If set to 'on' or '1', the ICAP service is treated as - optional. If the service cannot be reached or malfunctions, - Squid will try to ignore any errors and process the message as - if the service was not enabled. No all ICAP errors can be - bypassed. If set to 0, the ICAP service is treated as - essential and all ICAP errors will result in an error page - returned to the HTTP client. - - Bypass is off by default: services are treated as essential. - - routing=on|off|1|0 - If set to 'on' or '1', the ICAP service is allowed to - dynamically change the current message adaptation plan by - returning a chain of services to be used next. The services - are specified using the X-Next-Services ICAP response header - value, formatted as a comma-separated list of service names. - Each named service should be configured in squid.conf and - should have the same method and vectoring point as the current - ICAP transaction. Services violating these rules are ignored. - An empty X-Next-Services value results in an empty plan which - ends the current adaptation. - - Routing is not allowed by default: the ICAP X-Next-Services - response header is ignored. - - Older icap_service format without optional named parameters is - deprecated but supported for backward compatibility. - -Example: -icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod -icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod -DOC_END - -NAME: icap_class -TYPE: icap_class_type -IFDEF: ICAP_CLIENT -LOC: none -DEFAULT: none -DOC_START - This deprecated option was documented to define an ICAP service - chain, even though it actually defined a set of similar, redundant - services, and the chains were not supported. - - To define a set of redundant services, please use the - adaptation_service_set directive. For service chains, use - adaptation_service_chain. -DOC_END - -NAME: icap_access -TYPE: icap_access_type -IFDEF: ICAP_CLIENT -LOC: none -DEFAULT: none -DOC_START - This option is deprecated. Please use adaptation_access, which - has the same ICAP functionality, but comes with better - documentation, and eCAP support. -DOC_END - -COMMENT_START - eCAP OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: ecap_enable -TYPE: onoff -IFDEF: USE_ECAP -COMMENT: on|off -LOC: Adaptation::Ecap::TheConfig.onoff -DEFAULT: off -DOC_START - Controls whether eCAP support is enabled. -DOC_END - -NAME: ecap_service -TYPE: ecap_service_type -IFDEF: USE_ECAP -LOC: Adaptation::Ecap::TheConfig -DEFAULT: none -DOC_START - Defines a single eCAP service - - ecap_service servicename vectoring_point bypass service_url - - vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache - This specifies at which point of transaction processing the - eCAP service should be activated. *_postcache vectoring points - are not yet supported. - bypass = 1|0 - If set to 1, the eCAP service is treated as optional. If the - service cannot be reached or malfunctions, Squid will try to - ignore any errors and process the message as if the service - was not enabled. No all eCAP errors can be bypassed. - If set to 0, the eCAP service is treated as essential and all - eCAP errors will result in an error page returned to the - HTTP client. - service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional - -Example: -ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block -ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg -DOC_END - -NAME: loadable_modules -TYPE: wordlist -IFDEF: USE_LOADABLE_MODULES -LOC: Config.loadable_module_names -DEFAULT: none -DOC_START - Instructs Squid to load the specified dynamic module(s) or activate - preloaded module(s). -Example: -loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so -DOC_END - -COMMENT_START - MESSAGE ADAPTATION OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: adaptation_service_set -TYPE: adaptation_service_set_type -IFDEF: USE_ADAPTATION -LOC: none -DEFAULT: none -DOC_START - - Configures an ordered set of similar, redundant services. This is - useful when hot standby or backup adaptation servers are available. - - adaptation_service_set set_name service_name1 service_name2 ... - - The named services are used in the set declaration order. The first - applicable adaptation service from the set is used first. The next - applicable service is tried if and only if the transaction with the - previous service fails and the message waiting to be adapted is still - intact. - - When adaptation starts, broken services are ignored as if they were - not a part of the set. A broken service is a down optional service. - - The services in a set must be attached to the same vectoring point - (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). - - If all services in a set are optional then adaptation failures are - bypassable. If all services in the set are essential, then a - transaction failure with one service may still be retried using - another service from the set, but when all services fail, the master - transaction fails as well. - - A set may contain a mix of optional and essential services, but that - is likely to lead to surprising results because broken services become - ignored (see above), making previously bypassable failures fatal. - Technically, it is the bypassability of the last failed service that - matters. - - See also: adaptation_access adaptation_service_chain - -Example: -adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup -adaptation service_set svcLogger loggerLocal loggerRemote -DOC_END - -NAME: adaptation_service_chain -TYPE: adaptation_service_chain_type -IFDEF: USE_ADAPTATION -LOC: none -DEFAULT: none -DOC_START - - Configures a list of complementary services that will be applied - one-by-one, forming an adaptation chain or pipeline. This is useful - when Squid must perform different adaptations on the same message. - - adaptation_service_chain chain_name service_name1 svc_name2 ... - - The named services are used in the chain declaration order. The first - applicable adaptation service from the chain is used first. The next - applicable service is applied to the successful adaptation results of - the previous service in the chain. - - When adaptation starts, broken services are ignored as if they were - not a part of the chain. A broken service is a down optional service. - - Request satisfaction terminates the adaptation chain because Squid - does not currently allow declaration of RESPMOD services at the - "reqmod_precache" vectoring point (see icap_service or ecap_service). - - The services in a chain must be attached to the same vectoring point - (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). - - A chain may contain a mix of optional and essential services. If an - essential adaptation fails (or the failure cannot be bypassed for - other reasons), the master transaction fails. Otherwise, the failure - is bypassed as if the failed adaptation service was not in the chain. - - See also: adaptation_access adaptation_service_set - -Example: -adaptation_service_chain svcRequest requestLogger urlFilter leakDetector -DOC_END - -NAME: adaptation_access -TYPE: adaptation_access_type -IFDEF: USE_ADAPTATION -LOC: none -DEFAULT: none -DOC_START - Sends an HTTP transaction to an ICAP or eCAP adaptation service. - - adaptation_access service_name allow|deny [!]aclname... - adaptation_access set_name allow|deny [!]aclname... - - At each supported vectoring point, the adaptation_access - statements are processed in the order they appear in this - configuration file. Statements pointing to the following services - are ignored (i.e., skipped without checking their ACL): - - - services serving different vectoring points - - "broken-but-bypassable" services - - "up" services configured to ignore such transactions - (e.g., based on the ICAP Transfer-Ignore header). - - When a set_name is used, all services in the set are checked - using the same rules, to find the first applicable one. See - adaptation_service_set for details. - - If an access list is checked and there is a match, the - processing stops: For an "allow" rule, the corresponding - adaptation service is used for the transaction. For a "deny" - rule, no adaptation service is activated. - - It is currently not possible to apply more than one adaptation - service at the same vectoring point to the same HTTP transaction. - - See also: icap_service and ecap_service - -Example: -adaptation_access service_1 allow all -DOC_END - -NAME: adaptation_service_iteration_limit -TYPE: int -IFDEF: USE_ADAPTATION -LOC: Adaptation::Config::service_iteration_limit -DEFAULT: 16 -DOC_START - Limits the number of iterations allowed when applying adaptation - services to a message. If your longest adaptation set or chain - may have more than 16 services, increase the limit beyond its - default value of 16. If detecting infinite iteration loops sooner - is critical, make the iteration limit match the actual number - of services in your longest adaptation set or chain. - - Infinite adaptation loops are most likely with routing services. - - See also: icap_service routing=1 -DOC_END - -NAME: adaptation_masterx_shared_names -TYPE: string -IFDEF: USE_ADAPTATION -LOC: Adaptation::Config::masterx_shared_name -DEFAULT: none -DOC_START - For each master transaction (i.e., the HTTP request and response - sequence, including all related ICAP and eCAP exchanges), Squid - maintains a table of metadata. The table entries are (name, value) - pairs shared among eCAP and ICAP exchanges. The table is destroyed - with the master transaction. - - This option specifies the table entry names that Squid must accept - from and forward to the adaptation transactions. - - An ICAP REQMOD or RESPMOD transaction may set an entry in the - shared table by returning an ICAP header field with a name - specified in adaptation_masterx_shared_names. Squid will store - and forward that ICAP header field to subsequent ICAP - transactions within the same master transaction scope. - - Only one shared entry name is supported at this time. - -Example: -# share authentication information among ICAP services -adaptation_masterx_shared_names X-Subscriber-ID -DOC_END - -NAME: icap_retry -TYPE: acl_access -IFDEF: ICAP_CLIENT -LOC: Adaptation::Icap::TheConfig.repeat -DEFAULT: none -DEFAULT_IF_NONE: deny all -DOC_START - This ACL determines which retriable ICAP transactions are - retried. Transactions that received a complete ICAP response - and did not have to consume or produce HTTP bodies to receive - that response are usually retriable. - - icap_retry allow|deny [!]aclname ... - - Squid automatically retries some ICAP I/O timeouts and errors - due to persistent connection race conditions. - - See also: icap_retry_limit -DOC_END - -NAME: icap_retry_limit -TYPE: int -IFDEF: ICAP_CLIENT -LOC: Adaptation::Icap::TheConfig.repeat_limit -DEFAULT: 0 -DOC_START - Limits the number of retries allowed. When set to zero (default), - no retries are allowed. - - Communication errors due to persistent connection race - conditions are unavoidable, automatically retried, and do not - count against this limit. - - See also: icap_retry -DOC_END - - -COMMENT_START - DNS OPTIONS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: check_hostnames -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.check_hostnames -DOC_START - For security and stability reasons Squid can check - hostnames for Internet standard RFC compliance. If you want - Squid to perform these checks turn this directive on. -DOC_END - -NAME: allow_underscore -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.allow_underscore -DOC_START - Underscore characters is not strictly allowed in Internet hostnames - but nevertheless used by many sites. Set this to off if you want - Squid to be strict about the standard. - This check is performed only when check_hostnames is set to on. -DOC_END - -NAME: cache_dns_program -TYPE: string -IFDEF: USE_DNSSERVERS -DEFAULT: @DEFAULT_DNSSERVER@ -LOC: Config.Program.dnsserver -DOC_START - Specify the location of the executable for dnslookup process. -DOC_END - -NAME: dns_children -TYPE: HelperChildConfig -IFDEF: USE_DNSSERVERS -DEFAULT: 32 startup=1 idle=1 -LOC: Config.dnsChildren -DOC_START - The maximum number of processes spawn to service DNS name lookups. - If you limit it too few Squid will have to wait for them to process - a backlog of requests, slowing it down. If you allow too many they - will use RAM and other system resources noticably. - The maximum this may be safely set to is 32. - - The startup= and idle= options allow some measure of skew in your - tuning. - - startup= - - Sets a minimum of how many processes are to be spawned when Squid - starts or reconfigures. When set to zero the first request will - cause spawning of the first child process to handle it. - - Starting too few will cause an initial slowdown in traffic as Squid - attempts to simultaneously spawn enough processes to cope. - - idle= - - Sets a minimum of how many processes Squid is to try and keep available - at all times. When traffic begins to rise above what the existing - processes can handle this many more will be spawned up to the maximum - configured. A minimum setting of 1 is required. -DOC_END - -NAME: dns_retransmit_interval -TYPE: time_t -DEFAULT: 5 seconds -LOC: Config.Timeout.idns_retransmit -IFDEF: !USE_DNSSERVERS -DOC_START - Initial retransmit interval for DNS queries. The interval is - doubled each time all configured DNS servers have been tried. -DOC_END - -NAME: dns_timeout -TYPE: time_t -DEFAULT: 2 minutes -LOC: Config.Timeout.idns_query -IFDEF: !USE_DNSSERVERS -DOC_START - DNS Query timeout. If no response is received to a DNS query - within this time all DNS servers for the queried domain - are assumed to be unavailable. -DOC_END - -NAME: dns_defnames -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.res_defnames -DOC_START - Normally the RES_DEFNAMES resolver option is disabled - (see res_init(3)). This prevents caches in a hierarchy - from interpreting single-component hostnames locally. To allow - Squid to handle single-component names, enable this option. -DOC_END - -NAME: dns_nameservers -TYPE: wordlist -DEFAULT: none -LOC: Config.dns_nameservers -DOC_START - Use this if you want to specify a list of DNS name servers - (IP addresses) to use instead of those given in your - /etc/resolv.conf file. - On Windows platforms, if no value is specified here or in - the /etc/resolv.conf file, the list of DNS name servers are - taken from the Windows registry, both static and dynamic DHCP - configurations are supported. - - Example: dns_nameservers 10.0.0.1 192.172.0.4 -DOC_END - -NAME: hosts_file -TYPE: string -DEFAULT: @DEFAULT_HOSTS@ -LOC: Config.etcHostsPath -DOC_START - Location of the host-local IP name-address associations - database. Most Operating Systems have such a file on different - default locations: - - Un*X & Linux: /etc/hosts - - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts - (%SystemRoot% value install default is c:\winnt) - - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts - (%SystemRoot% value install default is c:\windows) - - Windows 9x/Me: %windir%\hosts - (%windir% value is usually c:\windows) - - Cygwin: /etc/hosts - - The file contains newline-separated definitions, in the - form ip_address_in_dotted_form name [name ...] names are - whitespace-separated. Lines beginning with an hash (#) - character are comments. - - The file is checked at startup and upon configuration. - If set to 'none', it won't be checked. - If append_domain is used, that domain will be added to - domain-local (i.e. not containing any dot character) host - definitions. -DOC_END - -NAME: append_domain -TYPE: string -LOC: Config.appendDomain -DEFAULT: none -DOC_START - Appends local domain name to hostnames without any dots in - them. append_domain must begin with a period. - - Be warned there are now Internet names with no dots in - them using only top-domain names, so setting this may - cause some Internet sites to become unavailable. - -Example: - append_domain .yourdomain.com -DOC_END - -NAME: ignore_unknown_nameservers -TYPE: onoff -LOC: Config.onoff.ignore_unknown_nameservers -DEFAULT: on -DOC_START - By default Squid checks that DNS responses are received - from the same IP addresses they are sent to. If they - don't match, Squid ignores the response and writes a warning - message to cache.log. You can allow responses from unknown - nameservers by setting this option to 'off'. -DOC_END - -NAME: dns_v4_fallback -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.dns_require_A -DOC_START - Standard practice with DNS is to lookup either A or AAAA records - and use the results if it succeeds. Only looking up the other if - the first attempt fails or otherwise produces no results. - - That policy however will cause squid to produce error pages for some - servers that advertise AAAA but are unreachable over IPv6. - - If this is ON squid will always lookup both AAAA and A, using both. - If this is OFF squid will lookup AAAA and only try A if none found. - - WARNING: There are some possibly unwanted side-effects with this on: - *) Doubles the load placed by squid on the DNS network. - *) May negatively impact connection delay times. -DOC_END - -NAME: ipcache_size -COMMENT: (number of entries) -TYPE: int -DEFAULT: 1024 -LOC: Config.ipcache.size -DOC_NONE - -NAME: ipcache_low -COMMENT: (percent) -TYPE: int -DEFAULT: 90 -LOC: Config.ipcache.low -DOC_NONE - -NAME: ipcache_high -COMMENT: (percent) -TYPE: int -DEFAULT: 95 -LOC: Config.ipcache.high -DOC_START - The size, low-, and high-water marks for the IP cache. -DOC_END - -NAME: fqdncache_size -COMMENT: (number of entries) -TYPE: int -DEFAULT: 1024 -LOC: Config.fqdncache.size -DOC_START - Maximum number of FQDN cache entries. -DOC_END - -COMMENT_START - MISCELLANEOUS - ----------------------------------------------------------------------------- -COMMENT_END - -NAME: memory_pools -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.mem_pools -DOC_START - If set, Squid will keep pools of allocated (but unused) memory - available for future use. If memory is a premium on your - system and you believe your malloc library outperforms Squid - routines, disable this. -DOC_END - -NAME: memory_pools_limit -COMMENT: (bytes) -TYPE: b_size_t -DEFAULT: 5 MB -LOC: Config.MemPools.limit -DOC_START - Used only with memory_pools on: - memory_pools_limit 50 MB - - If set to a non-zero value, Squid will keep at most the specified - limit of allocated (but unused) memory in memory pools. All free() - requests that exceed this limit will be handled by your malloc - library. Squid does not pre-allocate any memory, just safe-keeps - objects that otherwise would be free()d. Thus, it is safe to set - memory_pools_limit to a reasonably high value even if your - configuration will use less memory. - - If set to zero, Squid will keep all memory it can. That is, there - will be no limit on the total amount of memory used for safe-keeping. - - To disable memory allocation optimization, do not set - memory_pools_limit to 0. Set memory_pools to "off" instead. - - An overhead for maintaining memory pools is not taken into account - when the limit is checked. This overhead is close to four bytes per - object kept. However, pools may actually _save_ memory because of - reduced memory thrashing in your malloc library. -DOC_END - -NAME: forwarded_for -COMMENT: on|off|transparent|truncate|delete -TYPE: string -DEFAULT: on -LOC: opt_forwarded_for -DOC_START - If set to "on", Squid will append your client's IP address - in the HTTP requests it forwards. By default it looks like: - - X-Forwarded-For: 192.1.2.3 - - If set to "off", it will appear as - - X-Forwarded-For: unknown - - If set to "transparent", Squid will not alter the - X-Forwarded-For header in any way. - - If set to "delete", Squid will delete the entire - X-Forwarded-For header. - - If set to "truncate", Squid will remove all existing - X-Forwarded-For entries, and place itself as the sole entry. -DOC_END - -NAME: cachemgr_passwd -TYPE: cachemgrpasswd -DEFAULT: none -LOC: Config.passwd_list -DOC_START - Specify passwords for cachemgr operations. - - Usage: cachemgr_passwd password action action ... - - Some valid actions are (see cache manager menu for a full list): - 5min - 60min - asndb - authenticator - cbdata - client_list - comm_incoming - config * - counters - delay - digest_stats - dns - events - filedescriptors - fqdncache - histograms - http_headers - info - io - ipcache - mem - menu - netdb - non_peers - objects - offline_toggle * - pconn - peer_select - reconfigure * - redirector - refresh - server_list - shutdown * - store_digest - storedir - utilization - via_headers - vm_objects - - * Indicates actions which will not be performed without a - valid password, others can be performed if not listed here. - - To disable an action, set the password to "disable". - To allow performing an action without a password, set the - password to "none". - - Use the keyword "all" to set the same password for all actions. - -Example: - cachemgr_passwd secret shutdown - cachemgr_passwd lesssssssecret info stats/objects - cachemgr_passwd disable all -DOC_END - -NAME: client_db -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.client_db -DOC_START - If you want to disable collecting per-client statistics, - turn off client_db here. -DOC_END - -NAME: refresh_all_ims -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.refresh_all_ims -DOC_START - When you enable this option, squid will always check - the origin server for an update when a client sends an - If-Modified-Since request. Many browsers use IMS - requests when the user requests a reload, and this - ensures those clients receive the latest version. - - By default (off), squid may return a Not Modified response - based on the age of the cached version. -DOC_END - -NAME: reload_into_ims -IFDEF: HTTP_VIOLATIONS -COMMENT: on|off -TYPE: onoff -DEFAULT: off -LOC: Config.onoff.reload_into_ims -DOC_START - When you enable this option, client no-cache or ``reload'' - requests will be changed to If-Modified-Since requests. - Doing this VIOLATES the HTTP standard. Enabling this - feature could make you liable for problems which it - causes. - - see also refresh_pattern for a more selective approach. -DOC_END - -NAME: maximum_single_addr_tries -TYPE: int -LOC: Config.retry.maxtries -DEFAULT: 1 -DOC_START - This sets the maximum number of connection attempts for a - host that only has one address (for multiple-address hosts, - each address is tried once). - - The default value is one attempt, the (not recommended) - maximum is 255 tries. A warning message will be generated - if it is set to a value greater than ten. - - Note: This is in addition to the request re-forwarding which - takes place if Squid fails to get a satisfying response. -DOC_END - -NAME: retry_on_error -TYPE: onoff -LOC: Config.retry.onerror -DEFAULT: off -DOC_START - If set to on Squid will automatically retry requests when - receiving an error response. This is mainly useful if you - are in a complex cache hierarchy to work around access - control errors. -DOC_END - -NAME: as_whois_server -TYPE: string -LOC: Config.as_whois_server -DEFAULT: whois.ra.net -DEFAULT_IF_NONE: whois.ra.net -DOC_START - WHOIS server to query for AS numbers. NOTE: AS numbers are - queried only when Squid starts up, not for every request. -DOC_END - -NAME: offline_mode -TYPE: onoff -LOC: Config.onoff.offline -DEFAULT: off -DOC_START - Enable this option and Squid will never try to validate cached - objects. -DOC_END - -NAME: uri_whitespace -TYPE: uri_whitespace -LOC: Config.uri_whitespace -DEFAULT: strip -DOC_START - What to do with requests that have whitespace characters in the - URI. Options: - - strip: The whitespace characters are stripped out of the URL. - This is the behavior recommended by RFC2396. - deny: The request is denied. The user receives an "Invalid - Request" message. - allow: The request is allowed and the URI is not changed. The - whitespace characters remain in the URI. Note the - whitespace is passed to redirector processes if they - are in use. - encode: The request is allowed and the whitespace characters are - encoded according to RFC1738. This could be considered - a violation of the HTTP/1.1 - RFC because proxies are not allowed to rewrite URI's. - chop: The request is allowed and the URI is chopped at the - first whitespace. This might also be considered a - violation. -DOC_END - -NAME: chroot -TYPE: string -LOC: Config.chroot_dir -DEFAULT: none -DOC_START - Specifies a directory where Squid should do a chroot() while - initializing. This also causes Squid to fully drop root - privileges after initializing. This means, for example, if you - use a HTTP port less than 1024 and try to reconfigure, you may - get an error saying that Squid can not open the port. -DOC_END - -NAME: balance_on_multiple_ip -TYPE: onoff -LOC: Config.onoff.balance_on_multiple_ip -DEFAULT: off -DOC_START - Modern IP resolvers in squid sort lookup results by preferred access. - By default squid will use these IP in order and only rotates to - the next listed when the most preffered fails. - - Some load balancing servers based on round robin DNS have been - found not to preserve user session state across requests - to different IP addresses. - - Enabling this directive Squid rotates IP's per request. -DOC_END - -NAME: pipeline_prefetch -TYPE: onoff -LOC: Config.onoff.pipeline_prefetch -DEFAULT: off -DOC_START - To boost the performance of pipelined requests to closer - match that of a non-proxied environment Squid can try to fetch - up to two requests in parallel from a pipeline. - - Defaults to off for bandwidth management and access logging - reasons. -DOC_END - -NAME: high_response_time_warning -TYPE: int -COMMENT: (msec) -LOC: Config.warnings.high_rptm -DEFAULT: 0 -DOC_START - If the one-minute median response time exceeds this value, - Squid prints a WARNING with debug level 0 to get the - administrators attention. The value is in milliseconds. -DOC_END - -NAME: high_page_fault_warning -TYPE: int -LOC: Config.warnings.high_pf -DEFAULT: 0 -DOC_START - If the one-minute average page fault rate exceeds this - value, Squid prints a WARNING with debug level 0 to get - the administrators attention. The value is in page faults - per second. -DOC_END - -NAME: high_memory_warning -TYPE: b_size_t -LOC: Config.warnings.high_memory -DEFAULT: 0 KB -DOC_START - If the memory usage (as determined by mallinfo) exceeds - this amount, Squid prints a WARNING with debug level 0 to get - the administrators attention. -DOC_END - -NAME: sleep_after_fork -COMMENT: (microseconds) -TYPE: int -LOC: Config.sleep_after_fork -DEFAULT: 0 -DOC_START - When this is set to a non-zero value, the main Squid process - sleeps the specified number of microseconds after a fork() - system call. This sleep may help the situation where your - system reports fork() failures due to lack of (virtual) - memory. Note, however, if you have a lot of child - processes, these sleep delays will add up and your - Squid will not service requests for some amount of time - until all the child processes have been started. - On Windows value less then 1000 (1 milliseconds) are - rounded to 1000. -DOC_END - -NAME: windows_ipaddrchangemonitor -IFDEF: _SQUID_MSWIN_ -COMMENT: on|off -TYPE: onoff -DEFAULT: on -LOC: Config.onoff.WIN32_IpAddrChangeMonitor -DOC_START - On Windows Squid by default will monitor IP address changes and will - reconfigure itself after any detected event. This is very useful for - proxies connected to internet with dial-up interfaces. - In some cases (a Proxy server acting as VPN gateway is one) it could be - desiderable to disable this behaviour setting this to 'off'. - Note: after changing this, Squid service must be restarted. -DOC_END - -NAME: eui_lookup -TYPE: onoff -IFDEF: USE_SQUID_EUI -DEFAULT: on -LOC: Eui::TheConfig.euiLookup -DOC_START - Whether to lookup the EUI or MAC address of a connected client. -DOC_END - -EOF +# +# SQUID Web Proxy Cache http://www.squid-cache.org/ +# ---------------------------------------------------------- +# +# Squid is the result of efforts by numerous individuals from +# the Internet community; see the CONTRIBUTORS file for full +# details. Many organizations have provided support for Squid's +# development; see the SPONSORS file for full details. Squid is +# Copyrighted (C) 2000 by the Regents of the University of +# California; see the COPYRIGHT file for full details. Squid +# incorporates software developed and/or copyrighted by other +# sources; see the CREDITS file for full details. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. +# + +COMMENT_START + WELCOME TO @SQUID@ + ---------------------------- + + This is the default Squid configuration file. You may wish + to look at the Squid home page (http://www.squid-cache.org/) + for the FAQ and other documentation. + + The default Squid config file shows what the defaults for + various options happen to be. If you don't need to change the + default, you shouldn't uncomment the line. Doing so may cause + run-time problems. In some cases "none" refers to no default + setting at all, while in other cases it refers to a valid + option - the comments for that keyword indicate if this is the + case. + +COMMENT_END + +COMMENT_START + Configuration options can be included using the "include" directive. + Include takes a list of files to include. Quoting and wildcards is + supported. + + For example, + + include /path/to/included/file/squid.acl.config + + Includes can be nested up to a hard-coded depth of 16 levels. + This arbitrary restriction is to prevent recursive include references + from causing Squid entering an infinite loop whilst trying to load + configuration files. +COMMENT_END + +COMMENT_START + OPTIONS FOR AUTHENTICATION + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: auth_param +TYPE: authparam +LOC: Config.authConfiguration +DEFAULT: none +DOC_START + This is used to define parameters for the various authentication + schemes supported by Squid. + + format: auth_param scheme parameter [setting] + + The order in which authentication schemes are presented to the client is + dependent on the order the scheme first appears in config file. IE + has a bug (it's not RFC 2617 compliant) in that it will use the basic + scheme if basic is the first entry presented, even if more secure + schemes are presented. For now use the order in the recommended + settings section below. If other browsers have difficulties (don't + recognize the schemes offered even if you are using basic) either + put basic first, or disable the other schemes (by commenting out their + program entry). + + Once an authentication scheme is fully configured, it can only be + shutdown by shutting squid down and restarting. Changes can be made on + the fly and activated with a reconfigure. I.E. You can change to a + different helper, but not unconfigure the helper completely. + + Please note that while this directive defines how Squid processes + authentication it does not automatically activate authentication. + To use authentication you must in addition make use of ACLs based + on login name in http_access (proxy_auth, proxy_auth_regex or + external with %LOGIN used in the format tag). The browser will be + challenged for authentication on the first such acl encountered + in http_access processing and will also be re-challenged for new + login credentials if the request is being denied by a proxy_auth + type acl. + + WARNING: authentication can't be used in a transparently intercepting + proxy as the client then thinks it is talking to an origin server and + not the proxy. This is a limitation of bending the TCP/IP protocol to + transparently intercepting port 80, not a limitation in Squid. + Ports flagged 'transparent', 'intercept', or 'tproxy' have + authentication disabled. + + === Parameters for the basic scheme follow. === + + "program" cmdline + Specify the command for the external authenticator. Such a program + reads a line containing "username password" and replies "OK" or + "ERR" in an endless loop. "ERR" responses may optionally be followed + by a error description available as %m in the returned error page. + If you use an authenticator, make sure you have 1 acl of type + proxy_auth. + + By default, the basic authentication scheme is not used unless a + program is specified. + + If you want to use the traditional NCSA proxy authentication, set + this line to something like + + auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd + + "utf8" on|off + HTTP uses iso-latin-1 as characterset, while some authentication + backends such as LDAP expects UTF-8. If this is set to on Squid will + translate the HTTP iso-latin-1 charset to UTF-8 before sending the + username & password to the helper. + + "children" numberofchildren [startup=N] [idle=N] [concurrency=N] + The maximum number of authenticator processes to spawn. If you start too few + Squid will have to wait for them to process a backlog of credential + verifications, slowing it down. When password verifications are + done via a (slow) network you are likely to need lots of + authenticator processes. + + The startup= and idle= options permit some skew in the exact amount + run. A minimum of startup=N will begin during startup and reconfigure + and Squid will start more in groups of up to idle=N in an attempt to meet + traffic needs and to keep idle=N free above those traffic needs up to + the maximum. + + The concurrency= option sets the number of concurrent requests the + helper can process. The default of 0 is used for helpers who only + supports one request at a time. Setting this to a number greater than + 0 changes the protocol used to include a channel number first on the + request/response line, allowing multiple requests to be sent to the + same helper in parallell without wating for the response. + Must not be set unless it's known the helper supports this. + + auth_param basic children 20 startup=0 idle=1 + + "realm" realmstring + Specifies the realm name which is to be reported to the + client for the basic proxy authentication scheme (part of + the text the user will see when prompted their username and + password). There is no default. + auth_param basic realm Squid proxy-caching web server + + "credentialsttl" timetolive + Specifies how long squid assumes an externally validated + username:password pair is valid for - in other words how + often the helper program is called for that user. Set this + low to force revalidation with short lived passwords. Note + setting this high does not impact your susceptibility + to replay attacks unless you are using an one-time password + system (such as SecureID). If you are using such a system, + you will be vulnerable to replay attacks unless you also + use the max_user_ip ACL in an http_access rule. + + "casesensitive" on|off + Specifies if usernames are case sensitive. Most user databases are + case insensitive allowing the same username to be spelled using both + lower and upper case letters, but some are case sensitive. This + makes a big difference for user_max_ip ACL processing and similar. + auth_param basic casesensitive off + + === Parameters for the digest scheme follow === + + "program" cmdline + Specify the command for the external authenticator. Such + a program reads a line containing "username":"realm" and + replies with the appropriate H(A1) value hex encoded or + ERR if the user (or his H(A1) hash) does not exists. + See rfc 2616 for the definition of H(A1). + "ERR" responses may optionally be followed by a error description + available as %m in the returned error page. + + By default, the digest authentication scheme is not used unless a + program is specified. + + If you want to use a digest authenticator, set this line to + something like + + auth_param digest program @DEFAULT_PREFIX@/bin/digest_pw_auth @DEFAULT_PREFIX@/etc/digpass + + "utf8" on|off + HTTP uses iso-latin-1 as characterset, while some authentication + backends such as LDAP expects UTF-8. If this is set to on Squid will + translate the HTTP iso-latin-1 charset to UTF-8 before sending the + username & password to the helper. + + "children" numberofchildren [startup=N] [idle=N] [concurrency=N] + The maximum number of authenticator processes to spawn (default 5). + If you start too few Squid will have to wait for them to + process a backlog of H(A1) calculations, slowing it down. + When the H(A1) calculations are done via a (slow) network + you are likely to need lots of authenticator processes. + + The startup= and idle= options permit some skew in the exact amount + run. A minimum of startup=N will begin during startup and reconfigure + and Squid will start more in groups of up to idle=N in an attempt to meet + traffic needs and to keep idle=N free above those traffic needs up to + the maximum. + + The concurrency= option sets the number of concurrent requests the + helper can process. The default of 0 is used for helpers who only + supports one request at a time. Setting this to a number greater than + 0 changes the protocol used to include a channel number first on the + request/response line, allowing multiple requests to be sent to the + same helper in parallell without wating for the response. + Must not be set unless it's known the helper supports this. + + auth_param digest children 20 startup=0 idle=1 + + "realm" realmstring + Specifies the realm name which is to be reported to the + client for the digest proxy authentication scheme (part of + the text the user will see when prompted their username and + password). There is no default. + auth_param digest realm Squid proxy-caching web server + + "nonce_garbage_interval" timeinterval + Specifies the interval that nonces that have been issued + to client_agent's are checked for validity. + + "nonce_max_duration" timeinterval + Specifies the maximum length of time a given nonce will be + valid for. + + "nonce_max_count" number + Specifies the maximum number of times a given nonce can be + used. + + "nonce_strictness" on|off + Determines if squid requires strict increment-by-1 behavior + for nonce counts, or just incrementing (off - for use when + useragents generate nonce counts that occasionally miss 1 + (ie, 1,2,4,6)). Default off. + + "check_nonce_count" on|off + This directive if set to off can disable the nonce count check + completely to work around buggy digest qop implementations in + certain mainstream browser versions. Default on to check the + nonce count to protect from authentication replay attacks. + + "post_workaround" on|off + This is a workaround to certain buggy browsers who sends + an incorrect request digest in POST requests when reusing + the same nonce as acquired earlier on a GET request. + + === NTLM scheme options follow === + + "program" cmdline + Specify the command for the external NTLM authenticator. + Such a program reads exchanged NTLMSSP packets with + the browser via Squid until authentication is completed. + If you use an NTLM authenticator, make sure you have 1 acl + of type proxy_auth. By default, the NTLM authenticator_program + is not used. + + auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth + + "children" numberofchildren [startup=N] [idle=N] + The maximum number of authenticator processes to spawn (default 5). + If you start too few Squid will have to wait for them to + process a backlog of credential verifications, slowing it + down. When credential verifications are done via a (slow) + network you are likely to need lots of authenticator + processes. + + The startup= and idle= options permit some skew in the exact amount + run. A minimum of startup=N will begin during startup and reconfigure + and Squid will start more in groups of up to idle=N in an attempt to meet + traffic needs and to keep idle=N free above those traffic needs up to + the maximum. + + auth_param ntlm children 20 startup=0 idle=1 + + "keep_alive" on|off + If you experience problems with PUT/POST requests when using the + Negotiate authentication scheme then you can try setting this to + off. This will cause Squid to forcibly close the connection on + the initial requests where the browser asks which schemes are + supported by the proxy. + + auth_param ntlm keep_alive on + + === Options for configuring the NEGOTIATE auth-scheme follow === + + "program" cmdline + Specify the command for the external Negotiate authenticator. + This protocol is used in Microsoft Active-Directory enabled setups with + the Microsoft Internet Explorer or Mozilla Firefox browsers. + Its main purpose is to exchange credentials with the Squid proxy + using the Kerberos mechanisms. + If you use a Negotiate authenticator, make sure you have at least + one acl of type proxy_auth active. By default, the negotiate + authenticator_program is not used. + The only supported program for this role is the ntlm_auth + program distributed as part of Samba, version 4 or later. + + auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego + + "children" numberofchildren [startup=N] [idle=N] + The maximum number of authenticator processes to spawn (default 5). + If you start too few Squid will have to wait for them to + process a backlog of credential verifications, slowing it + down. When crendential verifications are done via a (slow) + network you are likely to need lots of authenticator + processes. + + The startup= and idle= options permit some skew in the exact amount + run. A minimum of startup=N will begin during startup and reconfigure + and Squid will start more in groups of up to idle=N in an attempt to meet + traffic needs and to keep idle=N free above those traffic needs up to + the maximum. + + auth_param negotiate children 20 startup=0 idle=1 + + "keep_alive" on|off + If you experience problems with PUT/POST requests when using the + Negotiate authentication scheme then you can try setting this to + off. This will cause Squid to forcibly close the connection on + the initial requests where the browser asks which schemes are + supported by the proxy. + + auth_param negotiate keep_alive on + + + Examples: + +#Recommended minimum configuration per scheme: +#auth_param negotiate program +#auth_param negotiate children 20 startup=0 idle=1 +#auth_param negotiate keep_alive on +# +#auth_param ntlm program +#auth_param ntlm children 20 startup=0 idle=1 +#auth_param ntlm keep_alive on +# +#auth_param digest program +#auth_param digest children 20 startup=0 idle=1 +#auth_param digest realm Squid proxy-caching web server +#auth_param digest nonce_garbage_interval 5 minutes +#auth_param digest nonce_max_duration 30 minutes +#auth_param digest nonce_max_count 50 +# +#auth_param basic program +#auth_param basic children 5 stratup=5 idle=1 +#auth_param basic realm Squid proxy-caching web server +#auth_param basic credentialsttl 2 hours +DOC_END + +NAME: authenticate_cache_garbage_interval +TYPE: time_t +DEFAULT: 1 hour +LOC: Config.authenticateGCInterval +DOC_START + The time period between garbage collection across the username cache. + This is a tradeoff between memory utilization (long intervals - say + 2 days) and CPU (short intervals - say 1 minute). Only change if you + have good reason to. +DOC_END + +NAME: authenticate_ttl +TYPE: time_t +DEFAULT: 1 hour +LOC: Config.authenticateTTL +DOC_START + The time a user & their credentials stay in the logged in + user cache since their last request. When the garbage + interval passes, all user credentials that have passed their + TTL are removed from memory. +DOC_END + +NAME: authenticate_ip_ttl +TYPE: time_t +LOC: Config.authenticateIpTTL +DEFAULT: 0 seconds +DOC_START + If you use proxy authentication and the 'max_user_ip' ACL, + this directive controls how long Squid remembers the IP + addresses associated with each user. Use a small value + (e.g., 60 seconds) if your users might change addresses + quickly, as is the case with dialups. You might be safe + using a larger value (e.g., 2 hours) in a corporate LAN + environment with relatively static address assignments. +DOC_END + +COMMENT_START + ACCESS CONTROLS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: external_acl_type +TYPE: externalAclHelper +LOC: Config.externalAclHelperList +DEFAULT: none +DOC_START + This option defines external acl classes using a helper program + to look up the status + + external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] + + Options: + + ttl=n TTL in seconds for cached results (defaults to 3600 + for 1 hour) + negative_ttl=n + TTL for cached negative lookups (default same + as ttl) + children-max=n + Maximum number of acl helper processes spawned to service + external acl lookups of this type. (default 20) + children-startup=n + Minimum number of acl helper processes to spawn during + startup and reconfigure to service external acl lookups + of this type. (default 0) + children-idle=n + Number of acl helper processes to keep ahead of traffic + loads. Squid will spawn this many at once whenever load + rises above the capabilities of existing processes. + Up to the value of children-max. (default 1) + concurrency=n concurrency level per process. Only used with helpers + capable of processing more than one query at a time. + cache=n limit the result cache size, default is unbounded. + grace=n Percentage remaining of TTL where a refresh of a + cached entry should be initiated without needing to + wait for a new reply. (default is for no grace period) + protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers + ipv4 / ipv6 IP-mode used to communicate to this helper. + For compatability with older configurations and helpers + the default is 'ipv4'. + + FORMAT specifications + + %LOGIN Authenticated user login name + %EXT_USER Username from external acl + %IDENT Ident user name + %SRC Client IP + %SRCPORT Client source port + %URI Requested URI + %DST Requested host + %PROTO Requested protocol + %PORT Requested port + %PATH Requested URL path + %METHOD Request method + %MYADDR Squid interface address + %MYPORT Squid http_port number + %PATH Requested URL-path (including query-string if any) + %USER_CERT SSL User certificate in PEM format + %USER_CERTCHAIN SSL User certificate chain in PEM format + %USER_CERT_xx SSL User certificate subject attribute xx + %USER_CA_xx SSL User certificate issuer attribute xx + + %>{Header} HTTP request header "Header" + %>{Hdr:member} + HTTP request header "Hdr" list member "member" + %>{Hdr:;member} + HTTP request header list member using ; as + list separator. ; can be any non-alphanumeric + character. + + %<{Header} HTTP reply header "Header" + %<{Hdr:member} + HTTP reply header "Hdr" list member "member" + %<{Hdr:;member} + HTTP reply header list member using ; as + list separator. ; can be any non-alphanumeric + character. + + In addition to the above, any string specified in the referencing + acl will also be included in the helper request line, after the + specified formats (see the "acl external" directive) + + The helper receives lines per the above format specification, + and returns lines starting with OK or ERR indicating the validity + of the request and optionally followed by additional keywords with + more details. + + General result syntax: + + OK/ERR keyword=value ... + + Defined keywords: + + user= The users name (login) + password= The users password (for login= cache_peer option) + message= Message describing the reason. Available as %o + in error pages + tag= Apply a tag to a request (for both ERR and OK results) + Only sets a tag, does not alter existing tags. + log= String to be logged in access.log. Available as + %ea in logformat specifications + + If protocol=3.0 (the default) then URL escaping is used to protect + each value in both requests and responses. + + If using protocol=2.5 then all values need to be enclosed in quotes + if they may contain whitespace, or the whitespace escaped using \. + And quotes or \ characters within the keyword value must be \ escaped. + + When using the concurrency= option the protocol is changed by + introducing a query channel tag infront of the request/response. + The query channel tag is a number between 0 and concurrency-1. +DOC_END + +NAME: acl +TYPE: acl +LOC: Config.aclList +DEFAULT: all src all +DOC_START + Defining an Access List + + Every access list definition must begin with an aclname and acltype, + followed by either type-specific arguments or a quoted filename that + they are read from. + + acl aclname acltype argument ... + acl aclname acltype "file" ... + + When using "file", the file should contain one item per line. + + By default, regular expressions are CASE-SENSITIVE. To make + them case-insensitive, use the -i option. + + Some acl types require suspending the current request in order + to access some external data source. + Those which do are marked with the tag [slow], those which + don't are marked as [fast]. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl + for further information + + ***** ACL TYPES AVAILABLE ***** + + acl aclname src ip-address/netmask ... # clients IP address [fast] + acl aclname src addr1-addr2/netmask ... # range of addresses [fast] + acl aclname dst ip-address/netmask ... # URL host's IP address [slow] + acl aclname myip ip-address/netmask ... # local socket IP address [fast] + + acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation) + # The arp ACL requires the special configure option --enable-arp-acl. + # Furthermore, the ARP ACL code is not portable to all operating systems. + # It works on Linux, Solaris, Windows, FreeBSD, and some + # other *BSD variants. + # [fast] + # + # NOTE: Squid can only determine the MAC address for clients that are on + # the same subnet. If the client is on a different subnet, + # then Squid cannot find out its MAC address. + + acl aclname srcdomain .foo.com ... + # reverse lookup, from client IP [slow] + acl aclname dstdomain .foo.com ... + # Destination server from URL [fast] + acl aclname srcdom_regex [-i] \.foo\.com ... + # regex matching client name [slow] + acl aclname dstdom_regex [-i] \.foo\.com ... + # regex matching server [fast] + # + # For dstdomain and dstdom_regex a reverse lookup is tried if a IP + # based URL is used and no match is found. The name "none" is used + # if the reverse lookup fails. + + acl aclname src_as number ... + acl aclname dst_as number ... + # [fast] + # Except for access control, AS numbers can be used for + # routing of requests to specific caches. Here's an + # example for routing all requests for AS#1241 and only + # those to mycache.mydomain.net: + # acl asexample dst_as 1241 + # cache_peer_access mycache.mydomain.net allow asexample + # cache_peer_access mycache_mydomain.net deny all + + acl aclname peername myPeer ... + # [fast] + # match against a named cache_peer entry + # set unique name= on cache_peer lines for reliable use. + + acl aclname time [day-abbrevs] [h1:m1-h2:m2] + # [fast] + # day-abbrevs: + # S - Sunday + # M - Monday + # T - Tuesday + # W - Wednesday + # H - Thursday + # F - Friday + # A - Saturday + # h1:m1 must be less than h2:m2 + + acl aclname url_regex [-i] ^http:// ... + # regex matching on whole URL [fast] + acl aclname urlpath_regex [-i] \.gif$ ... + # regex matching on URL path [fast] + + acl aclname port 80 70 21 0-1024... # destination TCP port [fast] + # ranges are alloed + acl aclname myport 3128 ... # local socket TCP port [fast] + acl aclname myportname 3128 ... # http(s)_port name [fast] + + acl aclname proto HTTP FTP ... # request protocol [fast] + + acl aclname method GET POST ... # HTTP request method [fast] + + acl aclname http_status 200 301 500- 400-403 ... + # status code in reply [fast] + + acl aclname browser [-i] regexp ... + # pattern match on User-Agent header (see also req_header below) [fast] + + acl aclname referer_regex [-i] regexp ... + # pattern match on Referer header [fast] + # Referer is highly unreliable, so use with care + + acl aclname ident username ... + acl aclname ident_regex [-i] pattern ... + # string match on ident output [slow] + # use REQUIRED to accept any non-null ident. + + acl aclname proxy_auth [-i] username ... + acl aclname proxy_auth_regex [-i] pattern ... + # perform http authentication challenge to the client and match against + # supplied credentials [slow] + # + # takes a list of allowed usernames. + # use REQUIRED to accept any valid username. + # + # Will use proxy authentication in forward-proxy scenarios, and plain + # http authenticaiton in reverse-proxy scenarios + # + # NOTE: when a Proxy-Authentication header is sent but it is not + # needed during ACL checking the username is NOT logged + # in access.log. + # + # NOTE: proxy_auth requires a EXTERNAL authentication program + # to check username/password combinations (see + # auth_param directive). + # + # NOTE: proxy_auth can't be used in a transparent/intercepting proxy + # as the browser needs to be configured for using a proxy in order + # to respond to proxy authentication. + + acl aclname snmp_community string ... + # A community string to limit access to your SNMP Agent [fast] + # Example: + # + # acl snmppublic snmp_community public + + acl aclname maxconn number + # This will be matched when the client's IP address has + # more than HTTP connections established. [fast] + + acl aclname max_user_ip [-s] number + # This will be matched when the user attempts to log in from more + # than different ip addresses. The authenticate_ip_ttl + # parameter controls the timeout on the ip entries. [fast] + # If -s is specified the limit is strict, denying browsing + # from any further IP addresses until the ttl has expired. Without + # -s Squid will just annoy the user by "randomly" denying requests. + # (the counter is reset each time the limit is reached and a + # request is denied) + # NOTE: in acceleration mode or where there is mesh of child proxies, + # clients may appear to come from multiple addresses if they are + # going through proxy farms, so a limit of 1 may cause user problems. + + acl aclname random probability + # Pseudo-randomly match requests. Based on the probability given. + # Probability may be written as a decimal (0.333), fraction (1/3) + # or ratio of matches:non-matches (3:5). + + acl aclname req_mime_type [-i] mime-type ... + # regex match against the mime type of the request generated + # by the client. Can be used to detect file upload or some + # types HTTP tunneling requests [fast] + # NOTE: This does NOT match the reply. You cannot use this + # to match the returned file type. + + acl aclname req_header header-name [-i] any\.regex\.here + # regex match against any of the known request headers. May be + # thought of as a superset of "browser", "referer" and "mime-type" + # ACL [fast] + + acl aclname rep_mime_type [-i] mime-type ... + # regex match against the mime type of the reply received by + # squid. Can be used to detect file download or some + # types HTTP tunneling requests. [fast] + # NOTE: This has no effect in http_access rules. It only has + # effect in rules that affect the reply data stream such as + # http_reply_access. + + acl aclname rep_header header-name [-i] any\.regex\.here + # regex match against any of the known reply headers. May be + # thought of as a superset of "browser", "referer" and "mime-type" + # ACLs [fast] + + acl aclname external class_name [arguments...] + # external ACL lookup via a helper class defined by the + # external_acl_type directive [slow] + + acl aclname user_cert attribute values... + # match against attributes in a user SSL certificate + # attribute is one of DN/C/O/CN/L/ST [fast] + + acl aclname ca_cert attribute values... + # match against attributes a users issuing CA SSL certificate + # attribute is one of DN/C/O/CN/L/ST [fast] + + acl aclname ext_user username ... + acl aclname ext_user_regex [-i] pattern ... + # string match on username returned by external acl helper [slow] + # use REQUIRED to accept any non-null user name. + + acl aclname tag tagvalue ... + # string match on tag returned by external acl helper [slow] + + acl aclname hier_code codename ... + # string match against squid hierarchy code(s); [fast] + # e.g., DIRECT, PARENT_HIT, NONE, etc. + # + # NOTE: This has no effect in http_access rules. It only has + # effect in rules that affect the reply data stream such as + # http_reply_access. + + Examples: + acl macaddress arp 09:00:2b:23:45:67 + acl myexample dst_as 1241 + acl password proxy_auth REQUIRED + acl fileupload req_mime_type -i ^multipart/form-data$ + acl javascript rep_mime_type -i ^application/x-javascript$ + +NOCOMMENT_START +# +# Recommended minimum configuration: +# +acl manager proto cache_object +acl localhost src 127.0.0.1/32 +@IPV6_ONLY_SETTING@acl localhost src ::1/128 +acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 +@IPV6_ONLY_SETTING@acl to_localhost dst ::1/128 + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +@IPV6_ONLY_SETTING@acl localnet src fc00::/7 # RFC 4193 local private network range +@IPV6_ONLY_SETTING@acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT +NOCOMMENT_END +DOC_END + +NAME: follow_x_forwarded_for +TYPE: acl_access +IFDEF: FOLLOW_X_FORWARDED_FOR +LOC: Config.accessList.followXFF +DEFAULT: none +DEFAULT_IF_NONE: deny all +DOC_START + Allowing or Denying the X-Forwarded-For header to be followed to + find the original source of a request. + + Requests may pass through a chain of several other proxies + before reaching us. The X-Forwarded-For header will contain a + comma-separated list of the IP addresses in the chain, with the + rightmost address being the most recent. + + If a request reaches us from a source that is allowed by this + configuration item, then we consult the X-Forwarded-For header + to see where that host received the request from. If the + X-Forwarded-For header contains multiple addresses, and if + acl_uses_indirect_client is on, then we continue backtracking + until we reach an address for which we are not allowed to + follow the X-Forwarded-For header, or until we reach the first + address in the list. (If acl_uses_indirect_client is off, then + it's impossible to backtrack through more than one level of + X-Forwarded-For addresses.) + + The end result of this process is an IP address that we will + refer to as the indirect client address. This address may + be treated as the client address for access control, ICAP, delay + pools and logging, depending on the acl_uses_indirect_client, + icap_uses_indirect_client, delay_pool_uses_indirect_client and + log_uses_indirect_client options. + + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + + SECURITY CONSIDERATIONS: + + Any host for which we follow the X-Forwarded-For header + can place incorrect information in the header, and Squid + will use the incorrect information as if it were the + source address of the request. This may enable remote + hosts to bypass any access control restrictions that are + based on the client's source addresses. + + For example: + + acl localhost src 127.0.0.1 + acl my_other_proxy srcdomain .proxy.example.com + follow_x_forwarded_for allow localhost + follow_x_forwarded_for allow my_other_proxy +DOC_END + +NAME: acl_uses_indirect_client +COMMENT: on|off +TYPE: onoff +IFDEF: FOLLOW_X_FORWARDED_FOR +DEFAULT: on +LOC: Config.onoff.acl_uses_indirect_client +DOC_START + Controls whether the indirect client address + (see follow_x_forwarded_for) is used instead of the + direct client address in acl matching. +DOC_END + +NAME: delay_pool_uses_indirect_client +COMMENT: on|off +TYPE: onoff +IFDEF: FOLLOW_X_FORWARDED_FOR&&DELAY_POOLS +DEFAULT: on +LOC: Config.onoff.delay_pool_uses_indirect_client +DOC_START + Controls whether the indirect client address + (see follow_x_forwarded_for) is used instead of the + direct client address in delay pools. +DOC_END + +NAME: log_uses_indirect_client +COMMENT: on|off +TYPE: onoff +IFDEF: FOLLOW_X_FORWARDED_FOR +DEFAULT: on +LOC: Config.onoff.log_uses_indirect_client +DOC_START + Controls whether the indirect client address + (see follow_x_forwarded_for) is used instead of the + direct client address in the access log. +DOC_END + +NAME: http_access +TYPE: acl_access +LOC: Config.accessList.http +DEFAULT: none +DEFAULT_IF_NONE: deny all +DOC_START + Allowing or Denying access based on defined access lists + + Access to the HTTP port: + http_access allow|deny [!]aclname ... + + NOTE on default values: + + If there are no "access" lines present, the default is to deny + the request. + + If none of the "access" lines cause a match, the default is the + opposite of the last line in the list. If the last line was + deny, the default is allow. Conversely, if the last line + is allow, the default will be deny. For these reasons, it is a + good idea to have an "deny all" entry at the end of your access + lists to avoid potential confusion. + + This clause supports both fast and slow acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + +NOCOMMENT_START + +# +# Recommended minimum Access Permission configuration: +# +# Only allow cachemgr access from localhost +http_access allow manager localhost +http_access deny manager + +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all +NOCOMMENT_END +DOC_END + +NAME: adapted_http_access http_access2 +TYPE: acl_access +LOC: Config.accessList.adapted_http +DEFAULT: none +DOC_START + Allowing or Denying access based on defined access lists + + Essentially identical to http_access, but runs after redirectors + and ICAP/eCAP adaptation. Allowing access control based on their + output. + + If not set then only http_access is used. +DOC_END + +NAME: http_reply_access +TYPE: acl_access +LOC: Config.accessList.reply +DEFAULT: none +DOC_START + Allow replies to client requests. This is complementary to http_access. + + http_reply_access allow|deny [!] aclname ... + + NOTE: if there are no access lines present, the default is to allow + all replies + + If none of the access lines cause a match the opposite of the + last line will apply. Thus it is good practice to end the rules + with an "allow all" or "deny all" entry. + + This clause supports both fast and slow acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +DOC_END + +NAME: icp_access +TYPE: acl_access +LOC: Config.accessList.icp +DEFAULT: none +DEFAULT_IF_NONE: deny all +DOC_START + Allowing or Denying access to the ICP port based on defined + access lists + + icp_access allow|deny [!]aclname ... + + See http_access for details + + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + +# Allow ICP queries from local networks only +#icp_access allow localnet +#icp_access deny all +DOC_END + +NAME: htcp_access +IFDEF: USE_HTCP +TYPE: acl_access +LOC: Config.accessList.htcp +DEFAULT: none +DEFAULT_IF_NONE: deny all +DOC_START + Allowing or Denying access to the HTCP port based on defined + access lists + + htcp_access allow|deny [!]aclname ... + + See http_access for details + + NOTE: The default if no htcp_access lines are present is to + deny all traffic. This default may cause problems with peers + using the htcp or htcp-oldsquid options. + + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + +# Allow HTCP queries from local networks only +#htcp_access allow localnet +#htcp_access deny all +DOC_END + +NAME: htcp_clr_access +IFDEF: USE_HTCP +TYPE: acl_access +LOC: Config.accessList.htcp_clr +DEFAULT: none +DEFAULT_IF_NONE: deny all +DOC_START + Allowing or Denying access to purge content using HTCP based + on defined access lists + + htcp_clr_access allow|deny [!]aclname ... + + See http_access for details + + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + +# Allow HTCP CLR requests from trusted peers +acl htcp_clr_peer src 172.16.1.2 +htcp_clr_access allow htcp_clr_peer +DOC_END + +NAME: miss_access +TYPE: acl_access +LOC: Config.accessList.miss +DEFAULT: allow all +DOC_START + Use to force your neighbors to use you as a sibling instead of + a parent. For example: + + acl localclients src 172.16.0.0/16 + miss_access allow localclients + miss_access deny !localclients + + This means only your local clients are allowed to fetch + MISSES and all other clients can only fetch HITS. + + By default, allow all clients who passed the http_access rules + to fetch MISSES from us. + + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +DOC_END + +NAME: ident_lookup_access +TYPE: acl_access +IFDEF: USE_IDENT +DEFAULT: none +DEFAULT_IF_NONE: deny all +LOC: Ident::TheConfig.identLookup +DOC_START + A list of ACL elements which, if matched, cause an ident + (RFC 931) lookup to be performed for this request. For + example, you might choose to always perform ident lookups + for your main multi-user Unix boxes, but not for your Macs + and PCs. By default, ident lookups are not performed for + any requests. + + To enable ident lookups for specific client addresses, you + can follow this example: + + acl ident_aware_hosts src 198.168.1.0/24 + ident_lookup_access allow ident_aware_hosts + ident_lookup_access deny all + + Only src type ACL checks are fully supported. A srcdomain + ACL might work at times, but it will not always provide + the correct result. + + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +DOC_END + +NAME: reply_body_max_size +COMMENT: size [acl acl...] +TYPE: acl_b_size_t +DEFAULT: none +LOC: Config.ReplyBodySize +DOC_START + This option specifies the maximum size of a reply body. It can be + used to prevent users from downloading very large files, such as + MP3's and movies. When the reply headers are received, the + reply_body_max_size lines are processed, and the first line where + all (if any) listed ACLs are true is used as the maximum body size + for this reply. + + This size is checked twice. First when we get the reply headers, + we check the content-length value. If the content length value exists + and is larger than the allowed size, the request is denied and the + user receives an error message that says "the request or reply + is too large." If there is no content-length, and the reply + size exceeds this limit, the client's connection is just closed + and they will receive a partial reply. + + WARNING: downstream caches probably can not detect a partial reply + if there is no content-length header, so they will cache + partial responses and give them out as hits. You should NOT + use this option if you have downstream caches. + + WARNING: A maximum size smaller than the size of squid's error messages + will cause an infinite loop and crash squid. Ensure that the smallest + non-zero value you use is greater that the maximum header size plus + the size of your largest error page. + + If you set this parameter none (the default), there will be + no limit imposed. + + Configuration Format is: + reply_body_max_size SIZE UNITS [acl ...] + ie. + reply_body_max_size 10 MB + +DOC_END + +COMMENT_START + NETWORK OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: http_port ascii_port +TYPE: http_port_list +DEFAULT: none +LOC: Config.Sockaddr.http +DOC_START + Usage: port [mode] [options] + hostname:port [mode] [options] + 1.2.3.4:port [mode] [options] + + The socket addresses where Squid will listen for HTTP client + requests. You may specify multiple socket addresses. + There are three forms: port alone, hostname with port, and + IP address with port. If you specify a hostname or IP + address, Squid binds the socket to that specific + address. Most likely, you do not need to bind to a specific + address, so you can use the port number alone. + + If you are running Squid in accelerator mode, you + probably want to listen on port 80 also, or instead. + + The -a command line option may be used to specify additional + port(s) where Squid listens for proxy request. Such ports will + be plain proxy ports with no options. + + You may specify multiple socket addresses on multiple lines. + + Modes: + + intercept Support for IP-Layer interception of + outgoing requests without browser settings. + NP: disables authentication and IPv6 on the port. + + tproxy Support Linux TPROXY for spoofing outgoing + connections using the client IP address. + NP: disables authentication and maybe IPv6 on the port. + + accel Accelerator mode. Also needs at least one of + vhost / vport / defaultsite. + + sslbump Intercept each CONNECT request matching ssl_bump ACL, + establish secure connection with the client and with + the server, decrypt HTTP messages as they pass through + Squid, and treat them as unencrypted HTTP messages, + becoming the man-in-the-middle. + + The ssl_bump option is required to fully enable + the SslBump feature. + + Omitting the mode flag causes default forward proxy mode to be used. + + + Accelerator Mode Options: + + allow-direct Allow direct forwarding in accelerator mode. Normally + accelerated requests are denied direct forwarding as if + never_direct was used. + + defaultsite=domainname + What to use for the Host: header if it is not present + in a request. Determines what site (not origin server) + accelerators should consider the default. + Implies accel. + + vhost Using the Host header for virtual domain support. + Also uses the port as specified in Host: header. + + vport IP based virtual host support. Using the http_port number + in passed on Host: headers. + + vport=NN Uses the specified port number rather than the + http_port number. + + protocol= Protocol to reconstruct accelerated requests with. + Defaults to http://. + + ignore-cc Ignore request Cache-Control headers. + + Warning: This option violates HTTP specifications if + used in non-accelerator setups. + + + SSL Bump Mode Options: + + cert= Path to SSL certificate (PEM format). + + key= Path to SSL private key file (PEM format) + if not specified, the certificate file is + assumed to be a combined certificate and + key file. + + version= The version of SSL/TLS supported + 1 automatic (default) + 2 SSLv2 only + 3 SSLv3 only + 4 TLSv1 only + + cipher= Colon separated list of supported ciphers. + + options= Various SSL engine options. The most important + being: + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + SINGLE_DH_USE Always create a new key when using + temporary/ephemeral DH key exchanges + See src/ssl_support.c or OpenSSL SSL_CTX_set_options + documentation for a complete list of options. + + clientca= File containing the list of CAs to use when + requesting a client certificate. + + cafile= File containing additional CA certificates to + use when verifying client certificates. If unset + clientca will be used. + + capath= Directory containing additional CA certificates + and CRL lists to use when verifying client certificates. + + crlfile= File of additional CRL lists to use when verifying + the client certificate, in addition to CRLs stored in + the capath. Implies VERIFY_CRL flag below. + + dhparams= File containing DH parameters for temporary/ephemeral + DH key exchanges. + + sslflags= Various flags modifying the use of SSL: + DELAYED_AUTH + Don't request client certificates + immediately, but wait until acl processing + requires a certificate (not yet implemented). + NO_DEFAULT_CA + Don't use the default CA lists built in + to OpenSSL. + NO_SESSION_REUSE + Don't allow for session reuse. Each connection + will result in a new SSL session. + VERIFY_CRL + Verify CRL lists when accepting client + certificates. + VERIFY_CRL_ALL + Verify CRL lists for all certificates in the + client certificate chain. + + sslcontext= SSL session ID context identifier. + + + Other Options: + + connection-auth[=on|off] + use connection-auth=off to tell Squid to prevent + forwarding Microsoft connection oriented authentication + (NTLM, Negotiate and Kerberos) + + disable-pmtu-discovery= + Control Path-MTU discovery usage: + off lets OS decide on what to do (default). + transparent disable PMTU discovery when transparent + support is enabled. + always disable always PMTU discovery. + + In many setups of transparently intercepting proxies + Path-MTU discovery can not work on traffic towards the + clients. This is the case when the intercepting device + does not fully track connections and fails to forward + ICMP must fragment messages to the cache server. If you + have such setup and experience that certain clients + sporadically hang or never complete requests set + disable-pmtu-discovery option to 'transparent'. + + name= Specifies a internal name for the port. Defaults to + the port specification (port or addr:port) + + tcpkeepalive[=idle,interval,timeout] + Enable TCP keepalive probes of idle connections + idle is the initial time before TCP starts probing + the connection, interval how often to probe, and + timeout the time before giving up. + + If you run Squid on a dual-homed machine with an internal + and an external interface we recommend you to specify the + internal address:port in http_port. This way Squid will only be + visible on the internal address. + +NOCOMMENT_START + +# Squid normally listens to port 3128 +http_port @DEFAULT_HTTP_PORT@ +NOCOMMENT_END +DOC_END + +NAME: https_port +IFDEF: USE_SSL +TYPE: https_port_list +DEFAULT: none +LOC: Config.Sockaddr.https +DOC_START + Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] + + The socket address where Squid will listen for HTTPS client + requests. + + This is really only useful for situations where you are running + squid in accelerator mode and you want to do the SSL work at the + accelerator level. + + You may specify multiple socket addresses on multiple lines, + each with their own SSL certificate and/or options. + + Options: + + accel Accelerator mode. Also needs at least one of + defaultsite or vhost. + + defaultsite= The name of the https site presented on + this port. Implies accel. + + vhost Accelerator mode using Host header for virtual + domain support. Requires a wildcard certificate + or other certificate valid for more than one domain. + Implies accel. + + protocol= Protocol to reconstruct accelerated requests with. + Defaults to https. + + cert= Path to SSL certificate (PEM format). + + key= Path to SSL private key file (PEM format) + if not specified, the certificate file is + assumed to be a combined certificate and + key file. + + version= The version of SSL/TLS supported + 1 automatic (default) + 2 SSLv2 only + 3 SSLv3 only + 4 TLSv1 only + + cipher= Colon separated list of supported ciphers. + + options= Various SSL engine options. The most important + being: + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + SINGLE_DH_USE Always create a new key when using + temporary/ephemeral DH key exchanges + See src/ssl_support.c or OpenSSL SSL_CTX_set_options + documentation for a complete list of options. + + clientca= File containing the list of CAs to use when + requesting a client certificate. + + cafile= File containing additional CA certificates to + use when verifying client certificates. If unset + clientca will be used. + + capath= Directory containing additional CA certificates + and CRL lists to use when verifying client certificates. + + crlfile= File of additional CRL lists to use when verifying + the client certificate, in addition to CRLs stored in + the capath. Implies VERIFY_CRL flag below. + + dhparams= File containing DH parameters for temporary/ephemeral + DH key exchanges. + + sslflags= Various flags modifying the use of SSL: + DELAYED_AUTH + Don't request client certificates + immediately, but wait until acl processing + requires a certificate (not yet implemented). + NO_DEFAULT_CA + Don't use the default CA lists built in + to OpenSSL. + NO_SESSION_REUSE + Don't allow for session reuse. Each connection + will result in a new SSL session. + VERIFY_CRL + Verify CRL lists when accepting client + certificates. + VERIFY_CRL_ALL + Verify CRL lists for all certificates in the + client certificate chain. + + sslcontext= SSL session ID context identifier. + + vport Accelerator with IP based virtual host support. + + vport=NN As above, but uses specified port number rather + than the https_port number. Implies accel. + + name= Specifies a internal name for the port. Defaults to + the port specification (port or addr:port) + +DOC_END + +NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp +TYPE: acl_tos +DEFAULT: none +LOC: Config.accessList.outgoing_tos +DOC_START + Allows you to select a TOS/Diffserv value to mark outgoing + connections with, based on the username or source address + making the request. + + tcp_outgoing_tos ds-field [!]aclname ... + + Example where normal_service_net uses the TOS value 0x00 + and good_service_net uses 0x20 + + acl normal_service_net src 10.0.0.0/255.255.255.0 + acl good_service_net src 10.0.1.0/255.255.255.0 + tcp_outgoing_tos 0x00 normal_service_net + tcp_outgoing_tos 0x20 good_service_net + + TOS/DSCP values really only have local significance - so you should + know what you're specifying. For more information, see RFC2474, + RFC2475, and RFC3260. + + The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or + "default" to use whatever default your host has. Note that in + practice often only values 0 - 63 is usable as the two highest bits + have been redefined for use by ECN (RFC3168). + + Processing proceeds in the order specified, and stops at first fully + matching line. + + Note: The use of this directive using client dependent ACLs is + incompatible with the use of server side persistent connections. To + ensure correct results it is best to set server_persisten_connections + to off when using this directive in such configurations. +DOC_END + +NAME: clientside_tos +TYPE: acl_tos +DEFAULT: none +LOC: Config.accessList.clientside_tos +DOC_START + Allows you to select a TOS/Diffserv value to mark client-side + connections with, based on the username or source address + making the request. +DOC_END + +NAME: qos_flows +TYPE: QosConfig +IFDEF: USE_ZPH_QOS +DEFAULT: none +LOC: Ip::Qos::TheConfig +DOC_START + Allows you to select a TOS/DSCP value to mark outgoing + connections with, based on where the reply was sourced. + + TOS values really only have local significance - so you should + know what you're specifying. For more information, see RFC2474, + RFC2475, and RFC3260. + + The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF. + Note that in practice often only values up to 0x3F are usable + as the two highest bits have been redefined for use by ECN + (RFC3168). + + This setting is configured by setting the source TOS values: + + local-hit=0xFF Value to mark local cache hits. + + sibling-hit=0xFF Value to mark hits from sibling peers. + + parent-hit=0xFF Value to mark hits from parent peers. + + + NOTE: 'miss' preserve feature is only possible on Linux at this time. + + For the following to work correctly, you will need to patch your + linux kernel with the TOS preserving ZPH patch. + The kernel patch can be downloaded from http://zph.bratcheda.org + + disable-preserve-miss + If set, any HTTP response towards clients will + have the TOS value of the response comming from the + remote server masked with the value of miss-mask. + + miss-mask=0xFF + Allows you to mask certain bits in the TOS received from the + remote server, before copying the value to the TOS sent + towards clients. + Default: 0xFF (TOS from server is not changed). + +DOC_END + +NAME: tcp_outgoing_address +TYPE: acl_address +DEFAULT: none +LOC: Config.accessList.outgoing_address +DOC_START + Allows you to map requests to different outgoing IP addresses + based on the username or source address of the user making + the request. + + tcp_outgoing_address ipaddr [[!]aclname] ... + + Example where requests from 10.0.0.0/24 will be forwarded + with source address 10.1.0.1, 10.0.2.0/24 forwarded with + source address 10.1.0.2 and the rest will be forwarded with + source address 10.1.0.3. + + acl normal_service_net src 10.0.0.0/24 + acl good_service_net src 10.0.2.0/24 + tcp_outgoing_address 10.1.0.1 normal_service_net + tcp_outgoing_address 10.1.0.2 good_service_net + tcp_outgoing_address 10.1.0.3 + + Processing proceeds in the order specified, and stops at first fully + matching line. + + Note: The use of this directive using client dependent ACLs is + incompatible with the use of server side persistent connections. To + ensure correct results it is best to set server_persistent_connections + to off when using this directive in such configurations. + + Note: The use of this directive to set a local IP on outgoing TCP links + is incompatible with using TPROXY to set client IP out outbound TCP links. + When needing to contact peers use the no-tproxy cache_peer option to + re-enable normal forwarding such as this. + + IPv6 Magic: + + Squid is built with a capability of bridging the IPv4 and IPv6 + internets. + tcp_outgoing_address as exampled above breaks this bridging by forcing + all outbound traffic through a certain IPv4 which may be on the wrong + side of the IPv4/IPv6 boundary. + + To operate with tcp_outgoing_address and keep the bridging benefits + an additional ACL needs to be used which ensures the IPv6-bound traffic + is never forced or permitted out the IPv4 interface. + + acl to_ipv6 dst ipv6 + tcp_outgoing_address 2002::c001 good_service_net to_ipv6 + tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 + + tcp_outgoing_address 2002::beef normal_service_net to_ipv6 + tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 + + tcp_outgoing_address 2002::1 to_ipv6 + tcp_outgoing_address 10.1.0.3 !to_ipv6 + + WARNING: + 'dst ipv6' bases its selection assuming DIRECT access. + If peers are used the peername ACL are needed to select outgoing + address which can link to the peer. + + 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used + previously in the http_access rules to locate the destination IP. + Some more magic may be needed for that: + http_access allow to_ipv6 !all + (meaning, allow if to IPv6 but not from anywhere ;) + +DOC_END + +COMMENT_START + SSL OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: ssl_unclean_shutdown +IFDEF: USE_SSL +TYPE: onoff +DEFAULT: off +LOC: Config.SSL.unclean_shutdown +DOC_START + Some browsers (especially MSIE) bugs out on SSL shutdown + messages. +DOC_END + +NAME: ssl_engine +IFDEF: USE_SSL +TYPE: string +LOC: Config.SSL.ssl_engine +DEFAULT: none +DOC_START + The OpenSSL engine to use. You will need to set this if you + would like to use hardware SSL acceleration for example. +DOC_END + +NAME: sslproxy_client_certificate +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.cert +TYPE: string +DOC_START + Client SSL Certificate to use when proxying https:// URLs +DOC_END + +NAME: sslproxy_client_key +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.key +TYPE: string +DOC_START + Client SSL Key to use when proxying https:// URLs +DOC_END + +NAME: sslproxy_version +IFDEF: USE_SSL +DEFAULT: 1 +LOC: Config.ssl_client.version +TYPE: int +DOC_START + SSL version level to use when proxying https:// URLs +DOC_END + +NAME: sslproxy_options +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.options +TYPE: string +DOC_START + SSL engine options to use when proxying https:// URLs + + The most important being: + + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + SINGLE_DH_USE + Always create a new key when using + temporary/ephemeral DH key exchanges + + These options vary depending on your SSL engine. + See the OpenSSL SSL_CTX_set_options documentation for a + complete list of possible options. +DOC_END + +NAME: sslproxy_cipher +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.cipher +TYPE: string +DOC_START + SSL cipher list to use when proxying https:// URLs + + Colon separated list of supported ciphers. +DOC_END + +NAME: sslproxy_cafile +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.cafile +TYPE: string +DOC_START + file containing CA certificates to use when verifying server + certificates while proxying https:// URLs +DOC_END + +NAME: sslproxy_capath +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.capath +TYPE: string +DOC_START + directory containing CA certificates to use when verifying + server certificates while proxying https:// URLs +DOC_END + +NAME: ssl_bump +IFDEF: USE_SSL +TYPE: acl_access +LOC: Config.accessList.ssl_bump +DEFAULT: none +DOC_START + This ACL controls which CONNECT requests to an http_port + marked with an sslBump flag are actually "bumped". Please + see the sslBump flag of an http_port option for more details + about decoding proxied SSL connections. + + By default, no requests are bumped. + + See also: http_port sslBump + + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + + + # Example: Bump all requests except those originating from localhost and + # those going to webax.com or example.com sites. + + acl localhost src 127.0.0.1/32 + acl broken_sites dstdomain .webax.com + acl broken_sites dstdomain .example.com + ssl_bump deny localhost + ssl_bump deny broken_sites + ssl_bump allow all +DOC_END + +NAME: sslproxy_flags +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.flags +TYPE: string +DOC_START + Various flags modifying the use of SSL while proxying https:// URLs: + DONT_VERIFY_PEER Accept certificates that fail verification. + For refined control, see sslproxy_cert_error. + NO_DEFAULT_CA Don't use the default CA list built in + to OpenSSL. +DOC_END + + +NAME: sslproxy_cert_error +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.ssl_client.cert_error +TYPE: acl_access +DOC_START + Use this ACL to bypass server certificate validation errors. + + For example, the following lines will bypass all validation errors + when talking to servers located at 172.16.0.0/16. All other + validation errors will result in ERR_SECURE_CONNECT_FAIL error. + + acl BrokenServersAtTrustedIP dst 172.16.0.0/16 + sslproxy_cert_error allow BrokenServersAtTrustedIP + sslproxy_cert_error deny all + + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + Using slow acl types may result in server crashes + + Without this option, all server certificate validation errors + terminate the transaction. Bypassing validation errors is dangerous + because an error usually implies that the server cannot be trusted and + the connection may be insecure. + + See also: sslproxy_flags and DONT_VERIFY_PEER. + + Default setting: sslproxy_cert_error deny all +DOC_END + + + +NAME: sslpassword_program +IFDEF: USE_SSL +DEFAULT: none +LOC: Config.Program.ssl_password +TYPE: string +DOC_START + Specify a program used for entering SSL key passphrases + when using encrypted SSL certificate keys. If not specified + keys must either be unencrypted, or Squid started with the -N + option to allow it to query interactively for the passphrase. +DOC_END + +COMMENT_START + OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: cache_peer +TYPE: peer +DEFAULT: none +LOC: Config.peers +DOC_START + To specify other caches in a hierarchy, use the format: + + cache_peer hostname type http-port icp-port [options] + + For example, + + # proxy icp + # hostname type port port options + # -------------------- -------- ----- ----- ----------- + cache_peer parent.foo.net parent 3128 3130 default + cache_peer sib1.foo.net sibling 3128 3130 proxy-only + cache_peer sib2.foo.net sibling 3128 3130 proxy-only + cache_peer example.com parent 80 0 no-query default + cache_peer cdn.example.com sibling 3128 0 + + type: either 'parent', 'sibling', or 'multicast'. + + proxy-port: The port number where the peer accept HTTP requests. + For other Squid proxies this is usually 3128 + For web servers this is usually 80 + + icp-port: Used for querying neighbor caches about objects. + Set to 0 if the peer does not support ICP or HTCP. + See ICP and HTCP options below for additional details. + + + ==== ICP OPTIONS ==== + + You MUST also set icp_port and icp_access explicitly when using these options. + The defaults will prevent peer traffic using ICP. + + + no-query Disable ICP queries to this neighbor. + + multicast-responder + Indicates the named peer is a member of a multicast group. + ICP queries will not be sent directly to the peer, but ICP + replies will be accepted from it. + + closest-only Indicates that, for ICP_OP_MISS replies, we'll only forward + CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes. + + background-ping + To only send ICP queries to this neighbor infrequently. + This is used to keep the neighbor round trip time updated + and is usually used in conjunction with weighted-round-robin. + + + ==== HTCP OPTIONS ==== + + You MUST also set htcp_port and htcp_access explicitly when using these options. + The defaults will prevent peer traffic using HTCP. + + + htcp Send HTCP, instead of ICP, queries to the neighbor. + You probably also want to set the "icp-port" to 4827 + instead of 3130. + + htcp-oldsquid Send HTCP to old Squid versions. + + htcp-no-clr Send HTCP to the neighbor but without + sending any CLR requests. This cannot be used with + htcp-only-clr. + + htcp-only-clr Send HTCP to the neighbor but ONLY CLR requests. + This cannot be used with htcp-no-clr. + + htcp-no-purge-clr + Send HTCP to the neighbor including CLRs but only when + they do not result from PURGE requests. + + htcp-forward-clr + Forward any HTCP CLR requests this proxy receives to the peer. + + + ==== PEER SELECTION METHODS ==== + + The default peer selection method is ICP, with the first responding peer + being used as source. These options can be used for better load balancing. + + + default This is a parent cache which can be used as a "last-resort" + if a peer cannot be located by any of the peer-selection methods. + If specified more than once, only the first is used. + + round-robin Load-Balance parents which should be used in a round-robin + fashion in the absence of any ICP queries. + weight=N can be used to add bias. + + weighted-round-robin + Load-Balance parents which should be used in a round-robin + fashion with the frequency of each parent being based on the + round trip time. Closer parents are used more often. + Usually used for background-ping parents. + weight=N can be used to add bias. + + carp Load-Balance parents which should be used as a CARP array. + The requests will be distributed among the parents based on the + CARP load balancing hash function based on their weight. + + userhash Load-balance parents based on the client proxy_auth or ident username. + + sourcehash Load-balance parents based on the client source IP. + + multicast-siblings + To be used only for cache peers of type "multicast". + ALL members of this multicast group have "sibling" + relationship with it, not "parent". This is to a mulicast + group when the requested object would be fetched only from + a "parent" cache, anyway. It's useful, e.g., when + configuring a pool of redundant Squid proxies, being + members of the same multicast group. + + + ==== PEER SELECTION OPTIONS ==== + + weight=N use to affect the selection of a peer during any weighted + peer-selection mechanisms. + The weight must be an integer; default is 1, + larger weights are favored more. + This option does not affect parent selection if a peering + protocol is not in use. + + basetime=N Specify a base amount to be subtracted from round trip + times of parents. + It is subtracted before division by weight in calculating + which parent to fectch from. If the rtt is less than the + base time the rtt is set to a minimal value. + + ttl=N Specify a IP multicast TTL to use when sending an ICP + queries to this address. + Only useful when sending to a multicast group. + Because we don't accept ICP replies from random + hosts, you must configure other group members as + peers with the 'multicast-responder' option. + + no-delay To prevent access to this neighbor from influencing the + delay pools. + + digest-url=URL Tell Squid to fetch the cache digest (if digests are + enabled) for this host from the specified URL rather + than the Squid default location. + + + ==== ACCELERATOR / REVERSE-PROXY OPTIONS ==== + + originserver Causes this parent to be contacted as an origin server. + Meant to be used in accelerator setups when the peer + is a web server. + + forceddomain=name + Set the Host header of requests forwarded to this peer. + Useful in accelerator setups where the server (peer) + expects a certain domain name but clients may request + others. ie example.com or www.example.com + + no-digest Disable request of cache digests. + + no-netdb-exchange + Disables requesting ICMP RTT database (NetDB). + + + ==== AUTHENTICATION OPTIONS ==== + + login=user:password + If this is a personal/workgroup proxy and your parent + requires proxy authentication. + + Note: The string can include URL escapes (i.e. %20 for + spaces). This also means % must be written as %%. + + login=PASSTHRU + Send login details received from client to this peer. + Both Proxy- and WWW-Authorization headers are passed + without alteration to the peer. + Authentication is not required by Squid for this to work. + + Note: This will pass any form of authentication but + only Basic auth will work through a proxy unless the + connection-auth options are also used. + + login=PASS Send login details received from client to this peer. + Authentication is not required by this option. + + If there are no client-provided authentication headers + to pass on, but username and password are available + from an external ACL user= and password= result tags + they may be sent instead. + + Note: To combine this with proxy_auth both proxies must + share the same user database as HTTP only allows for + a single login (one for proxy, one for origin server). + Also be warned this will expose your users proxy + password to the peer. USE WITH CAUTION + + login=*:password + Send the username to the upstream cache, but with a + fixed password. This is meant to be used when the peer + is in another administrative domain, but it is still + needed to identify each user. + The star can optionally be followed by some extra + information which is added to the username. This can + be used to identify this proxy to the peer, similar to + the login=username:password option above. + + login=NEGOTIATE + If this is a personal/workgroup proxy and your parent + requires a secure proxy authentication. + The first principal from the default keytab or defined by + the environment variable KRB5_KTNAME will be used. + + login=NEGOTIATE:principal_name + If this is a personal/workgroup proxy and your parent + requires a secure proxy authentication. + The principal principal_name from the default keytab or + defined by the environment variable KRB5_KTNAME will be + used. + + connection-auth=on|off + Tell Squid that this peer does or not support Microsoft + connection oriented authentication, and any such + challenges received from there should be ignored. + Default is auto to automatically determine the status + of the peer. + + + ==== SSL / HTTPS / TLS OPTIONS ==== + + ssl Encrypt connections to this peer with SSL/TLS. + + sslcert=/path/to/ssl/certificate + A client SSL certificate to use when connecting to + this peer. + + sslkey=/path/to/ssl/key + The private SSL key corresponding to sslcert above. + If 'sslkey' is not specified 'sslcert' is assumed to + reference a combined file containing both the + certificate and the key. + + sslversion=1|2|3|4 + The SSL version to use when connecting to this peer + 1 = automatic (default) + 2 = SSL v2 only + 3 = SSL v3 only + 4 = TLS v1 only + + sslcipher=... The list of valid SSL ciphers to use when connecting + to this peer. + + ssloptions=... Specify various SSL engine options: + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + See src/ssl_support.c or the OpenSSL documentation for + a more complete list. + + sslcafile=... A file containing additional CA certificates to use + when verifying the peer certificate. + + sslcapath=... A directory containing additional CA certificates to + use when verifying the peer certificate. + + sslcrlfile=... A certificate revocation list file to use when + verifying the peer certificate. + + sslflags=... Specify various flags modifying the SSL implementation: + + DONT_VERIFY_PEER + Accept certificates even if they fail to + verify. + NO_DEFAULT_CA + Don't use the default CA list built in + to OpenSSL. + DONT_VERIFY_DOMAIN + Don't verify the peer certificate + matches the server name + + ssldomain= The peer name as advertised in it's certificate. + Used for verifying the correctness of the received peer + certificate. If not specified the peer hostname will be + used. + + front-end-https + Enable the "Front-End-Https: On" header needed when + using Squid as a SSL frontend in front of Microsoft OWA. + See MS KB document Q307347 for details on this header. + If set to auto the header will only be added if the + request is forwarded as a https:// URL. + + + ==== GENERAL OPTIONS ==== + + connect-timeout=N + A peer-specific connect timeout. + Also see the peer_connect_timeout directive. + + connect-fail-limit=N + How many times connecting to a peer must fail before + it is marked as down. Default is 10. + + allow-miss Disable Squid's use of only-if-cached when forwarding + requests to siblings. This is primarily useful when + icp_hit_stale is used by the sibling. To extensive use + of this option may result in forwarding loops, and you + should avoid having two-way peerings with this option. + For example to deny peer usage on requests from peer + by denying cache_peer_access if the source is a peer. + + max-conn=N Limit the amount of connections Squid may open to this + peer. see also + + name=xxx Unique name for the peer. + Required if you have multiple peers on the same host + but different ports. + This name can be used in cache_peer_access and similar + directives to dentify the peer. + Can be used by outgoing access controls through the + peername ACL type. + + no-tproxy Do not use the client-spoof TPROXY support when forwarding + requests to this peer. Use normal address selection instead. + + proxy-only objects fetched from the peer will not be stored locally. + +DOC_END + +NAME: cache_peer_domain cache_host_domain +TYPE: hostdomain +DEFAULT: none +LOC: none +DOC_START + Use to limit the domains for which a neighbor cache will be + queried. Usage: + + cache_peer_domain cache-host domain [domain ...] + cache_peer_domain cache-host !domain + + For example, specifying + + cache_peer_domain parent.foo.net .edu + + has the effect such that UDP query packets are sent to + 'bigserver' only when the requested object exists on a + server in the .edu domain. Prefixing the domainname + with '!' means the cache will be queried for objects + NOT in that domain. + + NOTE: * Any number of domains may be given for a cache-host, + either on the same or separate lines. + * When multiple domains are given for a particular + cache-host, the first matched domain is applied. + * Cache hosts with no domain restrictions are queried + for all requests. + * There are no defaults. + * There is also a 'cache_peer_access' tag in the ACL + section. +DOC_END + +NAME: cache_peer_access +TYPE: peer_access +DEFAULT: none +LOC: none +DOC_START + Similar to 'cache_peer_domain' but provides more flexibility by + using ACL elements. + + cache_peer_access cache-host allow|deny [!]aclname ... + + The syntax is identical to 'http_access' and the other lists of + ACL elements. See the comments for 'http_access' below, or + the Squid FAQ (http://wiki.squid-cache.org/SquidFaq/SquidAcl). +DOC_END + +NAME: neighbor_type_domain +TYPE: hostdomaintype +DEFAULT: none +LOC: none +DOC_START + usage: neighbor_type_domain neighbor parent|sibling domain domain ... + + Modifying the neighbor type for specific domains is now + possible. You can treat some domains differently than the + default neighbor type specified on the 'cache_peer' line. + Normally it should only be necessary to list domains which + should be treated differently because the default neighbor type + applies for hostnames which do not match domains listed here. + +EXAMPLE: + cache_peer cache.foo.org parent 3128 3130 + neighbor_type_domain cache.foo.org sibling .com .net + neighbor_type_domain cache.foo.org sibling .au .de +DOC_END + +NAME: dead_peer_timeout +COMMENT: (seconds) +DEFAULT: 10 seconds +TYPE: time_t +LOC: Config.Timeout.deadPeer +DOC_START + This controls how long Squid waits to declare a peer cache + as "dead." If there are no ICP replies received in this + amount of time, Squid will declare the peer dead and not + expect to receive any further ICP replies. However, it + continues to send ICP queries, and will mark the peer as + alive upon receipt of the first subsequent ICP reply. + + This timeout also affects when Squid expects to receive ICP + replies from peers. If more than 'dead_peer' seconds have + passed since the last ICP reply was received, Squid will not + expect to receive an ICP reply on the next query. Thus, if + your time between requests is greater than this timeout, you + will see a lot of requests sent DIRECT to origin servers + instead of to your parents. +DOC_END + +NAME: forward_max_tries +DEFAULT: 10 +TYPE: int +LOC: Config.forward_max_tries +DOC_START + Controls how many different forward paths Squid will try + before giving up. See also forward_timeout. +DOC_END + +NAME: hierarchy_stoplist +TYPE: wordlist +DEFAULT: none +LOC: Config.hierarchy_stoplist +DOC_START + A list of words which, if found in a URL, cause the object to + be handled directly by this cache. In other words, use this + to not query neighbor caches for certain objects. You may + list this option multiple times. + Note: never_direct overrides this option. +NOCOMMENT_START + +# We recommend you to use at least the following line. +hierarchy_stoplist cgi-bin ? +NOCOMMENT_END +DOC_END + +COMMENT_START + MEMORY CACHE OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: cache_mem +COMMENT: (bytes) +TYPE: b_size_t +DEFAULT: 256 MB +LOC: Config.memMaxSize +DOC_START + NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. + IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL + USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER + THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. + + 'cache_mem' specifies the ideal amount of memory to be used + for: + * In-Transit objects + * Hot Objects + * Negative-Cached objects + + Data for these objects are stored in 4 KB blocks. This + parameter specifies the ideal upper limit on the total size of + 4 KB blocks allocated. In-Transit objects take the highest + priority. + + In-transit objects have priority over the others. When + additional space is needed for incoming data, negative-cached + and hot objects will be released. In other words, the + negative-cached and hot objects will fill up any unused space + not needed for in-transit objects. + + If circumstances require, this limit will be exceeded. + Specifically, if your incoming request rate requires more than + 'cache_mem' of memory to hold in-transit objects, Squid will + exceed this limit to satisfy the new requests. When the load + decreases, blocks will be freed until the high-water mark is + reached. Thereafter, blocks will be used to store hot + objects. +DOC_END + +NAME: maximum_object_size_in_memory +COMMENT: (bytes) +TYPE: b_size_t +DEFAULT: 512 KB +LOC: Config.Store.maxInMemObjSize +DOC_START + Objects greater than this size will not be attempted to kept in + the memory cache. This should be set high enough to keep objects + accessed frequently in memory to improve performance whilst low + enough to keep larger objects from hoarding cache_mem. +DOC_END + +NAME: memory_cache_mode +TYPE: memcachemode +LOC: Config +DEFAULT: always +DOC_START + Controls which objects to keep in the memory cache (cache_mem) + + always Keep most recently fetched objects in memory (default) + + disk Only disk cache hits are kept in memory, which means + an object must first be cached on disk and then hit + a second time before cached in memory. + + network Only objects fetched from network is kept in memory +DOC_END + +NAME: memory_replacement_policy +TYPE: removalpolicy +LOC: Config.memPolicy +DEFAULT: lru +DOC_START + The memory replacement policy parameter determines which + objects are purged from memory when memory space is needed. + + See cache_replacement_policy for details. +DOC_END + +COMMENT_START + DISK CACHE OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: cache_replacement_policy +TYPE: removalpolicy +LOC: Config.replPolicy +DEFAULT: lru +DOC_START + The cache replacement policy parameter determines which + objects are evicted (replaced) when disk space is needed. + + lru : Squid's original list based LRU policy + heap GDSF : Greedy-Dual Size Frequency + heap LFUDA: Least Frequently Used with Dynamic Aging + heap LRU : LRU policy implemented using a heap + + Applies to any cache_dir lines listed below this. + + The LRU policies keeps recently referenced objects. + + The heap GDSF policy optimizes object hit rate by keeping smaller + popular objects in cache so it has a better chance of getting a + hit. It achieves a lower byte hit rate than LFUDA though since + it evicts larger (possibly popular) objects. + + The heap LFUDA policy keeps popular objects in cache regardless of + their size and thus optimizes byte hit rate at the expense of + hit rate since one large, popular object will prevent many + smaller, slightly less popular objects from being cached. + + Both policies utilize a dynamic aging mechanism that prevents + cache pollution that can otherwise occur with frequency-based + replacement policies. + + NOTE: if using the LFUDA replacement policy you should increase + the value of maximum_object_size above its default of 4096 KB to + to maximize the potential byte hit rate improvement of LFUDA. + + For more information about the GDSF and LFUDA cache replacement + policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html + and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. +DOC_END + +NAME: cache_dir +TYPE: cachedir +DEFAULT: none +LOC: Config.cacheSwap +DOC_START + Usage: + + cache_dir Type Directory-Name Fs-specific-data [options] + + You can specify multiple cache_dir lines to spread the + cache among different disk partitions. + + Type specifies the kind of storage system to use. Only "ufs" + is built by default. To enable any of the other storage systems + see the --enable-storeio configure option. + + 'Directory' is a top-level directory where cache swap + files will be stored. If you want to use an entire disk + for caching, this can be the mount-point directory. + The directory must exist and be writable by the Squid + process. Squid will NOT create this directory for you. + + The ufs store type: + + "ufs" is the old well-known Squid storage format that has always + been there. + + cache_dir ufs Directory-Name Mbytes L1 L2 [options] + + 'Mbytes' is the amount of disk space (MB) to use under this + directory. The default is 100 MB. Change this to suit your + configuration. Do NOT put the size of your disk drive here. + Instead, if you want Squid to use the entire disk drive, + subtract 20% and use that value. + + 'Level-1' is the number of first-level subdirectories which + will be created under the 'Directory'. The default is 16. + + 'Level-2' is the number of second-level subdirectories which + will be created under each first-level directory. The default + is 256. + + The aufs store type: + + "aufs" uses the same storage format as "ufs", utilizing + POSIX-threads to avoid blocking the main Squid process on + disk-I/O. This was formerly known in Squid as async-io. + + cache_dir aufs Directory-Name Mbytes L1 L2 [options] + + see argument descriptions under ufs above + + The diskd store type: + + "diskd" uses the same storage format as "ufs", utilizing a + separate process to avoid blocking the main Squid process on + disk-I/O. + + cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] + + see argument descriptions under ufs above + + Q1 specifies the number of unacknowledged I/O requests when Squid + stops opening new files. If this many messages are in the queues, + Squid won't open new files. Default is 64 + + Q2 specifies the number of unacknowledged messages when Squid + starts blocking. If this many messages are in the queues, + Squid blocks until it receives some replies. Default is 72 + + When Q1 < Q2 (the default), the cache directory is optimized + for lower response time at the expense of a decrease in hit + ratio. If Q1 > Q2, the cache directory is optimized for + higher hit ratio at the expense of an increase in response + time. + + The coss store type: + + NP: COSS filesystem in Squid-3 has been deemed too unstable for + production use and has thus been removed from this release. + We hope that it can be made usable again soon. + + block-size=n defines the "block size" for COSS cache_dir's. + Squid uses file numbers as block numbers. Since file numbers + are limited to 24 bits, the block size determines the maximum + size of the COSS partition. The default is 512 bytes, which + leads to a maximum cache_dir size of 512<<24, or 8 GB. Note + you should not change the coss block size after Squid + has written some objects to the cache_dir. + + The coss file store has changed from 2.5. Now it uses a file + called 'stripe' in the directory names in the config - and + this will be created by squid -z. + + Common options: + + no-store, no new objects should be stored to this cache_dir + + max-size=n, refers to the max object size this storedir supports. + It is used to initially choose the storedir to dump the object. + Note: To make optimal use of the max-size limits you should order + the cache_dir lines with the smallest max-size value first and the + ones with no max-size specification last. + + Note for coss, max-size must be less than COSS_MEMBUF_SZ, + which can be changed with the --with-coss-membuf-size=N configure + option. +NOCOMMENT_START + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs @DEFAULT_SWAP_DIR@ 100 16 256 +NOCOMMENT_END +DOC_END + +NAME: store_dir_select_algorithm +TYPE: string +LOC: Config.store_dir_select_algorithm +DEFAULT: least-load +DOC_START + Set this to 'round-robin' as an alternative. +DOC_END + +NAME: max_open_disk_fds +TYPE: int +LOC: Config.max_open_disk_fds +DEFAULT: 0 +DOC_START + To avoid having disk as the I/O bottleneck Squid can optionally + bypass the on-disk cache if more than this amount of disk file + descriptors are open. + + A value of 0 indicates no limit. +DOC_END + +NAME: minimum_object_size +COMMENT: (bytes) +TYPE: b_int64_t +DEFAULT: 0 KB +LOC: Config.Store.minObjectSize +DOC_START + Objects smaller than this size will NOT be saved on disk. The + value is specified in kilobytes, and the default is 0 KB, which + means there is no minimum. +DOC_END + +NAME: maximum_object_size +COMMENT: (bytes) +TYPE: b_int64_t +DEFAULT: 4096 KB +LOC: Config.Store.maxObjectSize +DOC_START + Objects larger than this size will NOT be saved on disk. The + value is specified in kilobytes, and the default is 4MB. If + you wish to get a high BYTES hit ratio, you should probably + increase this (one 32 MB object hit counts for 3200 10KB + hits). If you wish to increase speed more than your want to + save bandwidth you should leave this low. + + NOTE: if using the LFUDA replacement policy you should increase + this value to maximize the byte hit rate improvement of LFUDA! + See replacement_policy below for a discussion of this policy. +DOC_END + +NAME: cache_swap_low +COMMENT: (percent, 0-100) +TYPE: int +DEFAULT: 90 +LOC: Config.Swap.lowWaterMark +DOC_NONE + +NAME: cache_swap_high +COMMENT: (percent, 0-100) +TYPE: int +DEFAULT: 95 +LOC: Config.Swap.highWaterMark +DOC_START + + The low- and high-water marks for cache object replacement. + Replacement begins when the swap (disk) usage is above the + low-water mark and attempts to maintain utilization near the + low-water mark. As swap utilization gets close to high-water + mark object eviction becomes more aggressive. If utilization is + close to the low-water mark less replacement is done each time. + + Defaults are 90% and 95%. If you have a large cache, 5% could be + hundreds of MB. If this is the case you may wish to set these + numbers closer together. +DOC_END + +COMMENT_START + LOGFILE OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: logformat +TYPE: logformat +LOC: Config.Log.logformats +DEFAULT: none +DOC_START + Usage: + + logformat + + Defines an access log format. + + The is a string with embedded % format codes + + % format codes all follow the same basic structure where all but + the formatcode is optional. Output strings are automatically escaped + as required according to their context and the output format + modifiers are usually not needed, but can be specified if an explicit + output format is desired. + + % ["|[|'|#] [-] [[0]width] [{argument}] formatcode + + " output in quoted string format + [ output in squid text log format as used by log_mime_hdrs + # output in URL quoted format + ' output as-is + + - left aligned + width field width. If starting with 0 the + output is zero padded + {arg} argument such as header name etc + + Format codes: + + % a literal % character + >a Client source IP address + >A Client FQDN + >p Client source port + h Original request header. Optional header name argument + on the format header[:[separator]element] + [http::]>ha The HTTP request headers after adaptation and redirection. + Optional header name argument as for >h + [http::]h + [http::]un User name + [http::]ul User name from authentication + [http::]ui User name from ident + [http::]us User name from SSL + [http::]ue User name from external acl helper + [http::]>Hs HTTP status code sent to the client + [http::]st Received request size including HTTP headers. In the + case of chunked requests the chunked encoding metadata + are not included + [http::]>sh Received HTTP request headers size + [http::]a %Ss/%03>Hs %a %Ss/%03>Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +DOC_END + +NAME: access_log cache_access_log +TYPE: access_log +LOC: Config.Log.accesslogs +DEFAULT: none +DEFAULT_IF_NONE: daemon:@DEFAULT_ACCESS_LOG@ squid +DOC_START + These files log client request activities. Has a line every HTTP or + ICP request. The format is: + access_log : [ [acl acl ...]] + access_log none [acl acl ...]] + + Will log to the specified module:place using the specified format (which + must be defined in a logformat directive) those entries which match + ALL the acl's specified (which must be defined in acl clauses). + If no acl is specified, all requests will be logged to this destination. + + ===== Modules Currently available ===== + + none Do not log any requests matchign these ACL. + Do not specify Place or logformat name. + + stdio Write each log line to disk immediately at the completion of + each request. + Place: the filename and path to be written. + + daemon Very similar to stdio. But instead of writing to disk the log + line is passed to a daemon helper for asychronous handling instead. + Place: varies depending on the daemon. + + log_file_daemon Place: the file name and path to be written. + + syslog To log each request via syslog facility. + Place: The syslog facility and priority level for these entries. + Place Format: facility.priority + + where facility could be any of: + authpriv, daemon, local0 ... local7 or user. + + And priority could be any of: + err, warning, notice, info, debug. + + udp To send each log line as text data to a UDP receiver. + Place: The destination host name or IP and port. + Place Format: \\host:port + + Default: + access_log daemon:@DEFAULT_ACCESS_LOG@ squid +DOC_END + +NAME: icap_log +TYPE: access_log +IFDEF: ICAP_CLIENT +LOC: Config.Log.icaplogs +DEFAULT: none +DOC_START + ICAP log files record ICAP transaction summaries, one line per + transaction. + + The icap_log option format is: + icap_log [ [acl acl ...]] + icap_log none [acl acl ...]] + + Please see access_log option documentation for details. The two + kinds of logs share the overall configuration approach and many + features. + + ICAP processing of a single HTTP message or transaction may + require multiple ICAP transactions. In such cases, multiple + ICAP transaction log lines will correspond to a single access + log line. + + ICAP log uses logformat codes that make sense for an ICAP + transaction. Header-related codes are applied to the HTTP header + embedded in an ICAP server response, with the following caveats: + For REQMOD, there is no HTTP response header unless the ICAP + server performed request satisfaction. For RESPMOD, the HTTP + request header is the header sent to the ICAP server. For + OPTIONS, there are no HTTP headers. + + The following format codes are also available for ICAP logs: + + icap::st Bytes sent to the ICAP server (TCP payload + only; i.e., what Squid writes to the socket). + + icap::h ICAP request header(s). Similar to >h. + + icap::a %icap::to/%03icap::Hs %icap::'. + + Note, from Squid-3.1 this option has no effect on the cache.log, + that log can be rotated separately by using debug_options +DOC_END + +NAME: emulate_httpd_log +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.common_log +DOC_START + The Cache can emulate the log file format which many 'httpd' + programs use. To disable/enable this emulation, set + emulate_httpd_log to 'off' or 'on'. The default + is to use the native log format since it includes useful + information Squid-specific log analyzers use. +DOC_END + +NAME: log_ip_on_direct +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.log_ip_on_direct +DOC_START + Log the destination IP address in the hierarchy log tag when going + direct. Earlier Squid versions logged the hostname here. If you + prefer the old way set this to off. +DOC_END + +NAME: mime_table +TYPE: string +DEFAULT: @DEFAULT_MIME_TABLE@ +LOC: Config.mimeTablePathname +DOC_START + Pathname to Squid's MIME table. You shouldn't need to change + this, but the default file contains examples and formatting + information if you do. +DOC_END + +NAME: log_mime_hdrs +COMMENT: on|off +TYPE: onoff +LOC: Config.onoff.log_mime_hdrs +DEFAULT: off +DOC_START + The Cache can record both the request and the response MIME + headers for each HTTP transaction. The headers are encoded + safely and will appear as two bracketed fields at the end of + the access log (for either the native or httpd-emulated log + formats). To enable this logging set log_mime_hdrs to 'on'. +DOC_END + +NAME: useragent_log +TYPE: string +LOC: Config.Log.useragent +DEFAULT: none +IFDEF: USE_USERAGENT_LOG +DOC_START + Squid will write the User-Agent field from HTTP requests + to the filename specified here. By default useragent_log + is disabled. +DOC_END + +NAME: referer_log referrer_log +TYPE: string +LOC: Config.Log.referer +DEFAULT: none +IFDEF: USE_REFERER_LOG +DOC_START + Squid will write the Referer field from HTTP requests to the + filename specified here. By default referer_log is disabled. + Note that "referer" is actually a misspelling of "referrer" + however the misspelt version has been accepted into the HTTP RFCs + and we accept both. +DOC_END + +NAME: pid_filename +TYPE: string +DEFAULT: @DEFAULT_PID_FILE@ +LOC: Config.pidFilename +DOC_START + A filename to write the process-id to. To disable, enter "none". +DOC_END + +NAME: log_fqdn +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.log_fqdn +DOC_START + Turn this on if you wish to log fully qualified domain names + in the access.log. To do this Squid does a DNS lookup of all + IP's connecting to it. This can (in some situations) increase + latency, which makes your cache seem slower for interactive + browsing. +DOC_END + +NAME: client_netmask +TYPE: address +LOC: Config.Addrs.client_netmask +DEFAULT: no_addr +DOC_START + A netmask for client addresses in logfiles and cachemgr output. + Change this to protect the privacy of your cache clients. + A netmask of 255.255.255.0 will log all IP's in that range with + the last digit set to '0'. +DOC_END + +NAME: forward_log +IFDEF: WIP_FWD_LOG +TYPE: string +DEFAULT: none +LOC: Config.Log.forward +DOC_START + Logs the server-side requests. + + This is currently work in progress. +DOC_END + +NAME: strip_query_terms +TYPE: onoff +LOC: Config.onoff.strip_query_terms +DEFAULT: on +DOC_START + By default, Squid strips query terms from requested URLs before + logging. This protects your user's privacy. +DOC_END + +NAME: buffered_logs +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.buffered_logs +DOC_START + cache.log log file is written with stdio functions, and as such + it can be buffered or unbuffered. By default it will be unbuffered. + Buffering it can speed up the writing slightly (though you are + unlikely to need to worry unless you run with tons of debugging + enabled in which case performance will suffer badly anyway..). +DOC_END + +NAME: netdb_filename +TYPE: string +DEFAULT: @DEFAULT_NETDB_FILE@ +LOC: Config.netdbFilename +IFDEF: USE_ICMP +DOC_START + A filename where Squid stores it's netdb state between restarts. + To disable, enter "none". +DOC_END + +COMMENT_START + OPTIONS FOR TROUBLESHOOTING + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: cache_log +TYPE: string +DEFAULT: none +DEFAULT_IF_NONE: @DEFAULT_CACHE_LOG@ +LOC: Debug::cache_log +DOC_START + Cache logging file. This is where general information about + your cache's behavior goes. You can increase the amount of data + logged to this file and how often its rotated with "debug_options" +DOC_END + +NAME: debug_options +TYPE: eol +DEFAULT: ALL,1 +LOC: Debug::debugOptions +DOC_START + Logging options are set as section,level where each source file + is assigned a unique section. Lower levels result in less + output, Full debugging (level 9) can result in a very large + log file, so be careful. + + The magic word "ALL" sets debugging levels for all sections. + We recommend normally running with "ALL,1". + + The rotate=N option can be used to keep more or less of these logs + than would otherwise be kept by logfile_rotate. + For most uses a single log should be enough to monitor current + events affecting Squid. +DOC_END + +NAME: coredump_dir +TYPE: string +LOC: Config.coredump_dir +DEFAULT: none +DEFAULT_IF_NONE: none +DOC_START + By default Squid leaves core files in the directory from where + it was started. If you set 'coredump_dir' to a directory + that exists, Squid will chdir() to that directory at startup + and coredump files will be left there. + +NOCOMMENT_START + +# Leave coredumps in the first cache dir +coredump_dir @DEFAULT_SWAP_DIR@ +NOCOMMENT_END +DOC_END + + +COMMENT_START + OPTIONS FOR FTP GATEWAYING + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: ftp_user +TYPE: string +DEFAULT: Squid@ +LOC: Config.Ftp.anon_user +DOC_START + If you want the anonymous login password to be more informative + (and enable the use of picky ftp servers), set this to something + reasonable for your domain, like wwwuser@somewhere.net + + The reason why this is domainless by default is the + request can be made on the behalf of a user in any domain, + depending on how the cache is used. + Some ftp server also validate the email address is valid + (for example perl.com). +DOC_END + +NAME: ftp_passive +TYPE: onoff +DEFAULT: on +LOC: Config.Ftp.passive +DOC_START + If your firewall does not allow Squid to use passive + connections, turn off this option. + + Use of ftp_epsv_all option requires this to be ON. +DOC_END + +NAME: ftp_epsv_all +TYPE: onoff +DEFAULT: off +LOC: Config.Ftp.epsv_all +DOC_START + FTP Protocol extensions permit the use of a special "EPSV ALL" command. + + NATs may be able to put the connection on a "fast path" through the + translator, as the EPRT command will never be used and therefore, + translation of the data portion of the segments will never be needed. + + When a client only expects to do two-way FTP transfers this may be + useful. + If squid finds that it must do a three-way FTP transfer after issuing + an EPSV ALL command, the FTP session will fail. + + If you have any doubts about this option do not use it. + Squid will nicely attempt all other connection methods. + + Requires ftp_passive to be ON (default) for any effect. +DOC_END + +NAME: ftp_epsv +TYPE: onoff +DEFAULT: on +LOC: Config.Ftp.epsv +DOC_START + FTP Protocol extensions permit the use of a special "EPSV" command. + + NATs may be able to put the connection on a "fast path" through the + translator using EPSV, as the EPRT command will never be used + and therefore, translation of the data portion of the segments + will never be needed. + + Turning this OFF will prevent EPSV being attempted. + WARNING: Doing so will convert Squid back to the old behavior with all + the related problems with external NAT devices/layers. + + Requires ftp_passive to be ON (default) for any effect. +DOC_END + +NAME: ftp_sanitycheck +TYPE: onoff +DEFAULT: on +LOC: Config.Ftp.sanitycheck +DOC_START + For security and data integrity reasons Squid by default performs + sanity checks of the addresses of FTP data connections ensure the + data connection is to the requested server. If you need to allow + FTP connections to servers using another IP address for the data + connection turn this off. +DOC_END + +NAME: ftp_telnet_protocol +TYPE: onoff +DEFAULT: on +LOC: Config.Ftp.telnet +DOC_START + The FTP protocol is officially defined to use the telnet protocol + as transport channel for the control connection. However, many + implementations are broken and does not respect this aspect of + the FTP protocol. + + If you have trouble accessing files with ASCII code 255 in the + path or similar problems involving this ASCII code you can + try setting this directive to off. If that helps, report to the + operator of the FTP server in question that their FTP server + is broken and does not follow the FTP standard. +DOC_END + +COMMENT_START + OPTIONS FOR EXTERNAL SUPPORT PROGRAMS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: diskd_program +TYPE: string +DEFAULT: @DEFAULT_DISKD@ +LOC: Config.Program.diskd +DOC_START + Specify the location of the diskd executable. + Note this is only useful if you have compiled in + diskd as one of the store io modules. +DOC_END + +NAME: unlinkd_program +IFDEF: USE_UNLINKD +TYPE: string +DEFAULT: @DEFAULT_UNLINKD@ +LOC: Config.Program.unlinkd +DOC_START + Specify the location of the executable for file deletion process. +DOC_END + +NAME: pinger_program +TYPE: string +DEFAULT: @DEFAULT_PINGER@ +LOC: Config.pinger.program +IFDEF: USE_ICMP +DOC_START + Specify the location of the executable for the pinger process. +DOC_END + +NAME: pinger_enable +TYPE: onoff +DEFAULT: on +LOC: Config.pinger.enable +IFDEF: USE_ICMP +DOC_START + Control whether the pinger is active at run-time. + Enables turning ICMP pinger on and off with a simple + squid -k reconfigure. +DOC_END + + +COMMENT_START + OPTIONS FOR URL REWRITING + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: url_rewrite_program redirect_program +TYPE: wordlist +LOC: Config.Program.redirect +DEFAULT: none +DOC_START + Specify the location of the executable for the URL rewriter. + Since they can perform almost any function there isn't one included. + + For each requested URL rewriter will receive on line with the format + + URL client_ip "/" fqdn user method [ kvpairs] + + In the future, the rewriter interface will be extended with + key=value pairs ("kvpairs" shown above). Rewriter programs + should be prepared to receive and possibly ignore additional + whitespace-separated tokens on each input line. + + And the rewriter may return a rewritten URL. The other components of + the request line does not need to be returned (ignored if they are). + + The rewriter can also indicate that a client-side redirect should + be performed to the new URL. This is done by prefixing the returned + URL with "301:" (moved permanently) or 302: (moved temporarily). + + By default, a URL rewriter is not used. +DOC_END + +NAME: url_rewrite_children redirect_children +TYPE: HelperChildConfig +DEFAULT: 20 startup=0 idle=1 concurrency=0 +LOC: Config.redirectChildren +DOC_START + The maximum number of redirector processes to spawn. If you limit + it too few Squid will have to wait for them to process a backlog of + URLs, slowing it down. If you allow too many they will use RAM + and other system resources noticably. + + The startup= and idle= options allow some measure of skew in your + tuning. + + startup= + + Sets a minimum of how many processes are to be spawned when Squid + starts or reconfigures. When set to zero the first request will + cause spawning of the first child process to handle it. + + Starting too few will cause an initial slowdown in traffic as Squid + attempts to simultaneously spawn enough processes to cope. + + idle= + + Sets a minimum of how many processes Squid is to try and keep available + at all times. When traffic begins to rise above what the existing + processes can handle this many more will be spawned up to the maximum + configured. A minimum setting of 1 is required. + + concurrency= + + The number of requests each redirector helper can handle in + parallel. Defaults to 0 which indicates the redirector + is a old-style single threaded redirector. + + When this directive is set to a value >= 1 then the protocol + used to communicate with the helper is modified to include + a request ID in front of the request/response. The request + ID from the request must be echoed back with the response + to that request. +DOC_END + +NAME: url_rewrite_host_header redirect_rewrites_host_header +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.redir_rewrites_host +DOC_START + By default Squid rewrites any Host: header in redirected + requests. If you are running an accelerator this may + not be a wanted effect of a redirector. + + WARNING: Entries are cached on the result of the URL rewriting + process, so be careful if you have domain-virtual hosts. +DOC_END + +NAME: url_rewrite_access redirector_access +TYPE: acl_access +DEFAULT: none +LOC: Config.accessList.redirector +DOC_START + If defined, this access list specifies which requests are + sent to the redirector processes. By default all requests + are sent. + + This clause supports both fast and slow acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +DOC_END + +NAME: url_rewrite_bypass redirector_bypass +TYPE: onoff +LOC: Config.onoff.redirector_bypass +DEFAULT: off +DOC_START + When this is 'on', a request will not go through the + redirector if all redirectors are busy. If this is 'off' + and the redirector queue grows too large, Squid will exit + with a FATAL error and ask you to increase the number of + redirectors. You should only enable this if the redirectors + are not critical to your caching system. If you use + redirectors for access control, and you enable this option, + users may have access to pages they should not + be allowed to request. +DOC_END + +COMMENT_START + OPTIONS FOR TUNING THE CACHE + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: cache no_cache +TYPE: acl_access +DEFAULT: none +LOC: Config.accessList.noCache +DOC_START + A list of ACL elements which, if matched and denied, cause the request to + not be satisfied from the cache and the reply to not be cached. + In other words, use this to force certain objects to never be cached. + + You must use the words 'allow' or 'deny' to indicate whether items + matching the ACL should be allowed or denied into the cache. + + Default is to allow all to be cached. + + This clause supports both fast and slow acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +DOC_END + +NAME: refresh_pattern +TYPE: refreshpattern +LOC: Config.Refresh +DEFAULT: none +DOC_START + usage: refresh_pattern [-i] regex min percent max [options] + + By default, regular expressions are CASE-SENSITIVE. To make + them case-insensitive, use the -i option. + + 'Min' is the time (in minutes) an object without an explicit + expiry time should be considered fresh. The recommended + value is 0, any higher values may cause dynamic applications + to be erroneously cached unless the application designer + has taken the appropriate actions. + + 'Percent' is a percentage of the objects age (time since last + modification age) an object without explicit expiry time + will be considered fresh. + + 'Max' is an upper limit on how long objects without an explicit + expiry time will be considered fresh. + + options: override-expire + override-lastmod + reload-into-ims + ignore-reload + ignore-no-cache + ignore-no-store + ignore-must-revalidate + ignore-private + ignore-auth + refresh-ims + + override-expire enforces min age even if the server + sent an explicit expiry time (e.g., with the + Expires: header or Cache-Control: max-age). Doing this + VIOLATES the HTTP standard. Enabling this feature + could make you liable for problems which it causes. + + Note: override-expire does not enforce staleness - it only extends + freshness / min. If the server returns a Expires time which + is longer than your max time, Squid will still consider + the object fresh for that period of time. + + override-lastmod enforces min age even on objects + that were modified recently. + + reload-into-ims changes client no-cache or ``reload'' + to If-Modified-Since requests. Doing this VIOLATES the + HTTP standard. Enabling this feature could make you + liable for problems which it causes. + + ignore-reload ignores a client no-cache or ``reload'' + header. Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which + it causes. + + ignore-no-cache ignores any ``Pragma: no-cache'' and + ``Cache-control: no-cache'' headers received from a server. + The HTTP RFC never allows the use of this (Pragma) header + from a server, only a client, though plenty of servers + send it anyway. + + ignore-no-store ignores any ``Cache-control: no-store'' + headers received from a server. Doing this VIOLATES + the HTTP standard. Enabling this feature could make you + liable for problems which it causes. + + ignore-must-revalidate ignores any ``Cache-Control: must-revalidate`` + headers received from a server. Doing this VIOLATES + the HTTP standard. Enabling this feature could make you + liable for problems which it causes. + + ignore-private ignores any ``Cache-control: private'' + headers received from a server. Doing this VIOLATES + the HTTP standard. Enabling this feature could make you + liable for problems which it causes. + + ignore-auth caches responses to requests with authorization, + as if the originserver had sent ``Cache-control: public'' + in the response header. Doing this VIOLATES the HTTP standard. + Enabling this feature could make you liable for problems which + it causes. + + refresh-ims causes squid to contact the origin server + when a client issues an If-Modified-Since request. This + ensures that the client will receive an updated version + if one is available. + + Basically a cached object is: + + FRESH if expires < now, else STALE + STALE if age > max + FRESH if lm-factor < percent, else STALE + FRESH if age < min + else STALE + + The refresh_pattern lines are checked in the order listed here. + The first entry which matches is used. If none of the entries + match the default will be used. + + Note, you must uncomment all the default lines if you want + to change one. The default setting is only active if none is + used. + +NOCOMMENT_START + +# Add any of your own refresh_pattern entries above these. +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 +NOCOMMENT_END +DOC_END + +NAME: quick_abort_min +COMMENT: (KB) +TYPE: kb_int64_t +DEFAULT: 16 KB +LOC: Config.quickAbort.min +DOC_NONE + +NAME: quick_abort_max +COMMENT: (KB) +TYPE: kb_int64_t +DEFAULT: 16 KB +LOC: Config.quickAbort.max +DOC_NONE + +NAME: quick_abort_pct +COMMENT: (percent) +TYPE: int +DEFAULT: 95 +LOC: Config.quickAbort.pct +DOC_START + The cache by default continues downloading aborted requests + which are almost completed (less than 16 KB remaining). This + may be undesirable on slow (e.g. SLIP) links and/or very busy + caches. Impatient users may tie up file descriptors and + bandwidth by repeatedly requesting and immediately aborting + downloads. + + When the user aborts a request, Squid will check the + quick_abort values to the amount of data transfered until + then. + + If the transfer has less than 'quick_abort_min' KB remaining, + it will finish the retrieval. + + If the transfer has more than 'quick_abort_max' KB remaining, + it will abort the retrieval. + + If more than 'quick_abort_pct' of the transfer has completed, + it will finish the retrieval. + + If you do not want any retrieval to continue after the client + has aborted, set both 'quick_abort_min' and 'quick_abort_max' + to '0 KB'. + + If you want retrievals to always continue if they are being + cached set 'quick_abort_min' to '-1 KB'. +DOC_END + +NAME: read_ahead_gap +COMMENT: buffer-size +TYPE: b_int64_t +LOC: Config.readAheadGap +DEFAULT: 16 KB +DOC_START + The amount of data the cache will buffer ahead of what has been + sent to the client when retrieving an object from another server. +DOC_END + +NAME: negative_ttl +IFDEF: HTTP_VIOLATIONS +COMMENT: time-units +TYPE: time_t +LOC: Config.negativeTtl +DEFAULT: 0 seconds +DOC_START + Set the Default Time-to-Live (TTL) for failed requests. + Certain types of failures (such as "connection refused" and + "404 Not Found") are able to be negatively-cached for a short time. + Modern web servers should provide Expires: header, however if they + do not this can provide a minimum TTL. + The default is not to cache errors with unknown expiry details. + + Note that this is different from negative caching of DNS lookups. + + WARNING: Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which it + causes. +DOC_END + +NAME: positive_dns_ttl +COMMENT: time-units +TYPE: time_t +LOC: Config.positiveDnsTtl +DEFAULT: 6 hours +DOC_START + Upper limit on how long Squid will cache positive DNS responses. + Default is 6 hours (360 minutes). This directive must be set + larger than negative_dns_ttl. +DOC_END + +NAME: negative_dns_ttl +COMMENT: time-units +TYPE: time_t +LOC: Config.negativeDnsTtl +DEFAULT: 1 minutes +DOC_START + Time-to-Live (TTL) for negative caching of failed DNS lookups. + This also sets the lower cache limit on positive lookups. + Minimum value is 1 second, and it is not recommendable to go + much below 10 seconds. +DOC_END + +NAME: range_offset_limit +COMMENT: size [acl acl...] +TYPE: acl_b_size_t +LOC: Config.rangeOffsetLimit +DEFAULT: none +DOC_START + usage: (size) [units] [[!]aclname] + + Sets an upper limit on how far (number of bytes) into the file + a Range request may be to cause Squid to prefetch the whole file. + If beyond this limit, Squid forwards the Range request as it is and + the result is NOT cached. + + This is to stop a far ahead range request (lets say start at 17MB) + from making Squid fetch the whole object up to that point before + sending anything to the client. + + Multiple range_offset_limit lines may be specified, and they will + be searched from top to bottom on each request until a match is found. + The first match found will be used. If no line matches a request, the + default limit of 0 bytes will be used. + + 'size' is the limit specified as a number of units. + + 'units' specifies whether to use bytes, KB, MB, etc. + If no units are specified bytes are assumed. + + A size of 0 causes Squid to never fetch more than the + client requested. (default) + + A size of 'none' causes Squid to always fetch the object from the + beginning so it may cache the result. (2.0 style) + + 'aclname' is the name of a defined ACL. + + NP: Using 'none' as the byte value here will override any quick_abort settings + that may otherwise apply to the range request. The range request will + be fully fetched from start to finish regardless of the client + actions. This affects bandwidth usage. +DOC_END + +NAME: minimum_expiry_time +COMMENT: (seconds) +TYPE: time_t +LOC: Config.minimum_expiry_time +DEFAULT: 60 seconds +DOC_START + The minimum caching time according to (Expires - Date) + Headers Squid honors if the object can't be revalidated + defaults to 60 seconds. In reverse proxy environments it + might be desirable to honor shorter object lifetimes. It + is most likely better to make your server return a + meaningful Last-Modified header however. In ESI environments + where page fragments often have short lifetimes, this will + often be best set to 0. +DOC_END + +NAME: store_avg_object_size +COMMENT: (kbytes) +TYPE: kb_int64_t +DEFAULT: 13 KB +LOC: Config.Store.avgObjectSize +DOC_START + Average object size, used to estimate number of objects your + cache can hold. The default is 13 KB. +DOC_END + +NAME: store_objects_per_bucket +TYPE: int +DEFAULT: 20 +LOC: Config.Store.objectsPerBucket +DOC_START + Target number of objects per bucket in the store hash table. + Lowering this value increases the total number of buckets and + also the storage maintenance rate. The default is 20. +DOC_END + +COMMENT_START + HTTP OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: request_header_max_size +COMMENT: (KB) +TYPE: b_size_t +DEFAULT: 64 KB +LOC: Config.maxRequestHeaderSize +DOC_START + This specifies the maximum size for HTTP headers in a request. + Request headers are usually relatively small (about 512 bytes). + Placing a limit on the request header size will catch certain + bugs (for example with persistent connections) and possibly + buffer-overflow or denial-of-service attacks. +DOC_END + +NAME: reply_header_max_size +COMMENT: (KB) +TYPE: b_size_t +DEFAULT: 64 KB +LOC: Config.maxReplyHeaderSize +DOC_START + This specifies the maximum size for HTTP headers in a reply. + Reply headers are usually relatively small (about 512 bytes). + Placing a limit on the reply header size will catch certain + bugs (for example with persistent connections) and possibly + buffer-overflow or denial-of-service attacks. +DOC_END + +NAME: request_body_max_size +COMMENT: (bytes) +TYPE: b_int64_t +DEFAULT: 0 KB +LOC: Config.maxRequestBodySize +DOC_START + This specifies the maximum size for an HTTP request body. + In other words, the maximum size of a PUT/POST request. + A user who attempts to send a request with a body larger + than this limit receives an "Invalid Request" error message. + If you set this parameter to a zero (the default), there will + be no limit imposed. +DOC_END + +NAME: chunked_request_body_max_size +COMMENT: (bytes) +TYPE: b_int64_t +DEFAULT: 64 KB +LOC: Config.maxChunkedRequestBodySize +DOC_START + A broken or confused HTTP/1.1 client may send a chunked HTTP + request to Squid. Squid does not have full support for that + feature yet. To cope with such requests, Squid buffers the + entire request and then dechunks request body to create a + plain HTTP/1.0 request with a known content length. The plain + request is then used by the rest of Squid code as usual. + + The option value specifies the maximum size of the buffer used + to hold the request before the conversion. If the chunked + request size exceeds the specified limit, the conversion + fails, and the client receives an "unsupported request" error, + as if dechunking was disabled. + + Dechunking is enabled by default. To disable conversion of + chunked requests, set the maximum to zero. + + Request dechunking feature and this option in particular are a + temporary hack. When chunking requests and responses are fully + supported, there will be no need to buffer a chunked request. +DOC_END + +NAME: broken_posts +IFDEF: HTTP_VIOLATIONS +TYPE: acl_access +DEFAULT: none +LOC: Config.accessList.brokenPosts +DOC_START + A list of ACL elements which, if matched, causes Squid to send + an extra CRLF pair after the body of a PUT/POST request. + + Some HTTP servers has broken implementations of PUT/POST, + and rely on an extra CRLF pair sent by some WWW clients. + + Quote from RFC2616 section 4.1 on this matter: + + Note: certain buggy HTTP/1.0 client implementations generate an + extra CRLF's after a POST request. To restate what is explicitly + forbidden by the BNF, an HTTP/1.1 client must not preface or follow + a request with an extra CRLF. + + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + +Example: + acl buggy_server url_regex ^http://.... + broken_posts allow buggy_server +DOC_END + +NAME: icap_uses_indirect_client +COMMENT: on|off +TYPE: onoff +IFDEF: FOLLOW_X_FORWARDED_FOR&&ICAP_CLIENT +DEFAULT: on +LOC: Adaptation::Icap::TheConfig.icap_uses_indirect_client +DOC_START + Controls whether the indirect client address + (see follow_x_forwarded_for) instead of the + direct client address is passed to an ICAP + server as "X-Client-IP". +DOC_END + +NAME: via +IFDEF: HTTP_VIOLATIONS +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.via +DOC_START + If set (default), Squid will include a Via header in requests and + replies as required by RFC2616. +DOC_END + +NAME: ie_refresh +COMMENT: on|off +TYPE: onoff +LOC: Config.onoff.ie_refresh +DEFAULT: off +DOC_START + Microsoft Internet Explorer up until version 5.5 Service + Pack 1 has an issue with transparent proxies, wherein it + is impossible to force a refresh. Turning this on provides + a partial fix to the problem, by causing all IMS-REFRESH + requests from older IE versions to check the origin server + for fresh content. This reduces hit ratio by some amount + (~10% in my experience), but allows users to actually get + fresh content when they want it. Note because Squid + cannot tell if the user is using 5.5 or 5.5SP1, the behavior + of 5.5 is unchanged from old versions of Squid (i.e. a + forced refresh is impossible). Newer versions of IE will, + hopefully, continue to have the new behavior and will be + handled based on that assumption. This option defaults to + the old Squid behavior, which is better for hit ratios but + worse for clients using IE, if they need to be able to + force fresh content. +DOC_END + +NAME: vary_ignore_expire +COMMENT: on|off +TYPE: onoff +LOC: Config.onoff.vary_ignore_expire +DEFAULT: off +DOC_START + Many HTTP servers supporting Vary gives such objects + immediate expiry time with no cache-control header + when requested by a HTTP/1.0 client. This option + enables Squid to ignore such expiry times until + HTTP/1.1 is fully implemented. + + WARNING: If turned on this may eventually cause some + varying objects not intended for caching to get cached. +DOC_END + +NAME: request_entities +TYPE: onoff +LOC: Config.onoff.request_entities +DEFAULT: off +DOC_START + Squid defaults to deny GET and HEAD requests with request entities, + as the meaning of such requests are undefined in the HTTP standard + even if not explicitly forbidden. + + Set this directive to on if you have clients which insists + on sending request entities in GET or HEAD requests. But be warned + that there is server software (both proxies and web servers) which + can fail to properly process this kind of request which may make you + vulnerable to cache pollution attacks if enabled. +DOC_END + +NAME: request_header_access +IFDEF: HTTP_VIOLATIONS +TYPE: http_header_access[] +LOC: Config.request_header_access +DEFAULT: none +DOC_START + Usage: request_header_access header_name allow|deny [!]aclname ... + + WARNING: Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which it + causes. + + This option replaces the old 'anonymize_headers' and the + older 'http_anonymizer' option with something that is much + more configurable. This new method creates a list of ACLs + for each header, allowing you very fine-tuned header + mangling. + + This option only applies to request headers, i.e., from the + client to the server. + + You can only specify known headers for the header name. + Other headers are reclassified as 'Other'. You can also + refer to all the headers with 'All'. + + For example, to achieve the same behavior as the old + 'http_anonymizer standard' option, you should use: + + request_header_access From deny all + request_header_access Referer deny all + request_header_access Server deny all + request_header_access User-Agent deny all + request_header_access WWW-Authenticate deny all + request_header_access Link deny all + + Or, to reproduce the old 'http_anonymizer paranoid' feature + you should use: + + request_header_access Allow allow all + request_header_access Authorization allow all + request_header_access WWW-Authenticate allow all + request_header_access Proxy-Authorization allow all + request_header_access Proxy-Authenticate allow all + request_header_access Cache-Control allow all + request_header_access Content-Encoding allow all + request_header_access Content-Length allow all + request_header_access Content-Type allow all + request_header_access Date allow all + request_header_access Expires allow all + request_header_access Host allow all + request_header_access If-Modified-Since allow all + request_header_access Last-Modified allow all + request_header_access Location allow all + request_header_access Pragma allow all + request_header_access Accept allow all + request_header_access Accept-Charset allow all + request_header_access Accept-Encoding allow all + request_header_access Accept-Language allow all + request_header_access Content-Language allow all + request_header_access Mime-Version allow all + request_header_access Retry-After allow all + request_header_access Title allow all + request_header_access Connection allow all + request_header_access Proxy-Connection allow all + request_header_access All deny all + + although many of those are HTTP reply headers, and so should be + controlled with the reply_header_access directive. + + By default, all headers are allowed (no anonymizing is + performed). +DOC_END + +NAME: reply_header_access +IFDEF: HTTP_VIOLATIONS +TYPE: http_header_access[] +LOC: Config.reply_header_access +DEFAULT: none +DOC_START + Usage: reply_header_access header_name allow|deny [!]aclname ... + + WARNING: Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which it + causes. + + This option only applies to reply headers, i.e., from the + server to the client. + + This is the same as request_header_access, but in the other + direction. + + This option replaces the old 'anonymize_headers' and the + older 'http_anonymizer' option with something that is much + more configurable. This new method creates a list of ACLs + for each header, allowing you very fine-tuned header + mangling. + + You can only specify known headers for the header name. + Other headers are reclassified as 'Other'. You can also + refer to all the headers with 'All'. + + For example, to achieve the same behavior as the old + 'http_anonymizer standard' option, you should use: + + reply_header_access From deny all + reply_header_access Referer deny all + reply_header_access Server deny all + reply_header_access User-Agent deny all + reply_header_access WWW-Authenticate deny all + reply_header_access Link deny all + + Or, to reproduce the old 'http_anonymizer paranoid' feature + you should use: + + reply_header_access Allow allow all + reply_header_access Authorization allow all + reply_header_access WWW-Authenticate allow all + reply_header_access Proxy-Authorization allow all + reply_header_access Proxy-Authenticate allow all + reply_header_access Cache-Control allow all + reply_header_access Content-Encoding allow all + reply_header_access Content-Length allow all + reply_header_access Content-Type allow all + reply_header_access Date allow all + reply_header_access Expires allow all + reply_header_access Host allow all + reply_header_access If-Modified-Since allow all + reply_header_access Last-Modified allow all + reply_header_access Location allow all + reply_header_access Pragma allow all + reply_header_access Accept allow all + reply_header_access Accept-Charset allow all + reply_header_access Accept-Encoding allow all + reply_header_access Accept-Language allow all + reply_header_access Content-Language allow all + reply_header_access Mime-Version allow all + reply_header_access Retry-After allow all + reply_header_access Title allow all + reply_header_access Connection allow all + reply_header_access Proxy-Connection allow all + reply_header_access All deny all + + although the HTTP request headers won't be usefully controlled + by this directive -- see request_header_access for details. + + By default, all headers are allowed (no anonymizing is + performed). +DOC_END + +NAME: header_replace +IFDEF: HTTP_VIOLATIONS +TYPE: http_header_replace[] +LOC: Config.request_header_access +DEFAULT: none +DOC_START + Usage: header_replace header_name message + Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) + + This option allows you to change the contents of headers + denied with header_access above, by replacing them with + some fixed string. This replaces the old fake_user_agent + option. + + This only applies to request headers, not reply headers. + + By default, headers are removed if denied. +DOC_END + +NAME: relaxed_header_parser +COMMENT: on|off|warn +TYPE: tristate +LOC: Config.onoff.relaxed_header_parser +DEFAULT: on +DOC_START + In the default "on" setting Squid accepts certain forms + of non-compliant HTTP messages where it is unambiguous + what the sending application intended even if the message + is not correctly formatted. The messages is then normalized + to the correct form when forwarded by Squid. + + If set to "warn" then a warning will be emitted in cache.log + each time such HTTP error is encountered. + + If set to "off" then such HTTP errors will cause the request + or response to be rejected. +DOC_END + +NAME: ignore_expect_100 +COMMENT: on|off +IFDEF: HTTP_VIOLATIONS +TYPE: onoff +LOC: Config.onoff.ignore_expect_100 +DEFAULT: off +DOC_START + This option makes Squid ignore any Expect: 100-continue header present + in the request. RFC 2616 requires that Squid being unable to satisfy + the response expectation MUST return a 417 error. + + Note: Enabling this is a HTTP protocol violation, but some clients may + not handle it well.. +DOC_END + +COMMENT_START + TIMEOUTS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: forward_timeout +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.forward +DEFAULT: 4 minutes +DOC_START + This parameter specifies how long Squid should at most attempt in + finding a forwarding path for the request before giving up. +DOC_END + +NAME: connect_timeout +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.connect +DEFAULT: 1 minute +DOC_START + This parameter specifies how long to wait for the TCP connect to + the requested server or peer to complete before Squid should + attempt to find another path where to forward the request. +DOC_END + +NAME: peer_connect_timeout +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.peer_connect +DEFAULT: 30 seconds +DOC_START + This parameter specifies how long to wait for a pending TCP + connection to a peer cache. The default is 30 seconds. You + may also set different timeout values for individual neighbors + with the 'connect-timeout' option on a 'cache_peer' line. +DOC_END + +NAME: read_timeout +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.read +DEFAULT: 15 minutes +DOC_START + The read_timeout is applied on server-side connections. After + each successful read(), the timeout will be extended by this + amount. If no data is read again after this amount of time, + the request is aborted and logged with ERR_READ_TIMEOUT. The + default is 15 minutes. +DOC_END + +NAME: write_timeout +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.write +DEFAULT: 15 minutes +DOC_START + This timeout is tracked for all connections that have data + available for writing and are waiting for the socket to become + ready. After each successful write, the timeout is extended by + the configured amount. If Squid has data to write but the + connection is not ready for the configured duration, the + transaction associated with the connection is terminated. The + default is 15 minutes. +DOC_END + +NAME: request_timeout +TYPE: time_t +LOC: Config.Timeout.request +DEFAULT: 5 minutes +DOC_START + How long to wait for an HTTP request after initial + connection establishment. +DOC_END + +NAME: persistent_request_timeout +TYPE: time_t +LOC: Config.Timeout.persistent_request +DEFAULT: 2 minutes +DOC_START + How long to wait for the next HTTP request on a persistent + connection after the previous request completes. +DOC_END + +NAME: client_lifetime +COMMENT: time-units +TYPE: time_t +LOC: Config.Timeout.lifetime +DEFAULT: 1 day +DOC_START + The maximum amount of time a client (browser) is allowed to + remain connected to the cache process. This protects the Cache + from having a lot of sockets (and hence file descriptors) tied up + in a CLOSE_WAIT state from remote clients that go away without + properly shutting down (either because of a network failure or + because of a poor client implementation). The default is one + day, 1440 minutes. + + NOTE: The default value is intended to be much larger than any + client would ever need to be connected to your cache. You + should probably change client_lifetime only as a last resort. + If you seem to have many client connections tying up + filedescriptors, we recommend first tuning the read_timeout, + request_timeout, persistent_request_timeout and quick_abort values. +DOC_END + +NAME: half_closed_clients +TYPE: onoff +LOC: Config.onoff.half_closed_clients +DEFAULT: off +DOC_START + Some clients may shutdown the sending side of their TCP + connections, while leaving their receiving sides open. Sometimes, + Squid can not tell the difference between a half-closed and a + fully-closed TCP connection. + + By default, Squid will immediately close client connections when + read(2) returns "no more data to read." + + Change this option to 'on' and Squid will keep open connections + until a read(2) or write(2) on the socket returns an error. + This may show some benefits for reverse proxies. But if not + it is recommended to leave OFF. +DOC_END + +NAME: pconn_timeout +TYPE: time_t +LOC: Config.Timeout.pconn +DEFAULT: 1 minute +DOC_START + Timeout for idle persistent connections to servers and other + proxies. +DOC_END + +NAME: ident_timeout +TYPE: time_t +IFDEF: USE_IDENT +LOC: Ident::TheConfig.timeout +DEFAULT: 10 seconds +DOC_START + Maximum time to wait for IDENT lookups to complete. + + If this is too high, and you enabled IDENT lookups from untrusted + users, you might be susceptible to denial-of-service by having + many ident requests going at once. +DOC_END + +NAME: shutdown_lifetime +COMMENT: time-units +TYPE: time_t +LOC: Config.shutdownLifetime +DEFAULT: 30 seconds +DOC_START + When SIGTERM or SIGHUP is received, the cache is put into + "shutdown pending" mode until all active sockets are closed. + This value is the lifetime to set for all open descriptors + during shutdown mode. Any active clients after this many + seconds will receive a 'timeout' message. +DOC_END + +COMMENT_START + ADMINISTRATIVE PARAMETERS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: cache_mgr +TYPE: string +DEFAULT: webmaster +LOC: Config.adminEmail +DOC_START + Email-address of local cache manager who will receive + mail if the cache dies. The default is "webmaster." +DOC_END + +NAME: mail_from +TYPE: string +DEFAULT: none +LOC: Config.EmailFrom +DOC_START + From: email-address for mail sent when the cache dies. + The default is to use 'appname@unique_hostname'. + Default appname value is "squid", can be changed into + src/globals.h before building squid. +DOC_END + +NAME: mail_program +TYPE: eol +DEFAULT: mail +LOC: Config.EmailProgram +DOC_START + Email program used to send mail if the cache dies. + The default is "mail". The specified program must comply + with the standard Unix mail syntax: + mail-program recipient < mailfile + + Optional command line options can be specified. +DOC_END + +NAME: cache_effective_user +TYPE: string +DEFAULT: @DEFAULT_CACHE_EFFECTIVE_USER@ +LOC: Config.effectiveUser +DOC_START + If you start Squid as root, it will change its effective/real + UID/GID to the user specified below. The default is to change + to UID of @DEFAULT_CACHE_EFFECTIVE_USER@. + see also; cache_effective_group +DOC_END + +NAME: cache_effective_group +TYPE: string +DEFAULT: none +LOC: Config.effectiveGroup +DOC_START + Squid sets the GID to the effective user's default group ID + (taken from the password file) and supplementary group list + from the groups membership. + + If you want Squid to run with a specific GID regardless of + the group memberships of the effective user then set this + to the group (or GID) you want Squid to run as. When set + all other group privileges of the effective user are ignored + and only this GID is effective. If Squid is not started as + root the user starting Squid MUST be member of the specified + group. + + This option is not recommended by the Squid Team. + Our preference is for administrators to configure a secure + user account for squid with UID/GID matching system policies. +DOC_END + +NAME: httpd_suppress_version_string +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.httpd_suppress_version_string +DOC_START + Suppress Squid version string info in HTTP headers and HTML error pages. +DOC_END + +NAME: visible_hostname +TYPE: string +LOC: Config.visibleHostname +DEFAULT: none +DOC_START + If you want to present a special hostname in error messages, etc, + define this. Otherwise, the return value of gethostname() + will be used. If you have multiple caches in a cluster and + get errors about IP-forwarding you must set them to have individual + names with this setting. +DOC_END + +NAME: unique_hostname +TYPE: string +LOC: Config.uniqueHostname +DEFAULT: none +DOC_START + If you want to have multiple machines with the same + 'visible_hostname' you must give each machine a different + 'unique_hostname' so forwarding loops can be detected. +DOC_END + +NAME: hostname_aliases +TYPE: wordlist +LOC: Config.hostnameAliases +DEFAULT: none +DOC_START + A list of other DNS names your cache has. +DOC_END + +NAME: umask +TYPE: int +LOC: Config.umask +DEFAULT: 027 +DOC_START + Minimum umask which should be enforced while the proxy + is running, in addition to the umask set at startup. + + For a traditional octal representation of umasks, start + your value with 0. +DOC_END + +COMMENT_START + OPTIONS FOR THE CACHE REGISTRATION SERVICE + ----------------------------------------------------------------------------- + + This section contains parameters for the (optional) cache + announcement service. This service is provided to help + cache administrators locate one another in order to join or + create cache hierarchies. + + An 'announcement' message is sent (via UDP) to the registration + service by Squid. By default, the announcement message is NOT + SENT unless you enable it with 'announce_period' below. + + The announcement message includes your hostname, plus the + following information from this configuration file: + + http_port + icp_port + cache_mgr + + All current information is processed regularly and made + available on the Web at http://www.ircache.net/Cache/Tracker/. +COMMENT_END + +NAME: announce_period +TYPE: time_t +LOC: Config.Announce.period +DEFAULT: 0 +DOC_START + This is how frequently to send cache announcements. The + default is `0' which disables sending the announcement + messages. + + To enable announcing your cache, just set an announce period. + + Example: + announce_period 1 day +DOC_END + +NAME: announce_host +TYPE: string +DEFAULT: tracker.ircache.net +LOC: Config.Announce.host +DOC_NONE + +NAME: announce_file +TYPE: string +DEFAULT: none +LOC: Config.Announce.file +DOC_NONE + +NAME: announce_port +TYPE: ushort +DEFAULT: 3131 +LOC: Config.Announce.port +DOC_START + announce_host and announce_port set the hostname and port + number where the registration message will be sent. + + Hostname will default to 'tracker.ircache.net' and port will + default default to 3131. If the 'filename' argument is given, + the contents of that file will be included in the announce + message. +DOC_END + +COMMENT_START + HTTPD-ACCELERATOR OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: httpd_accel_surrogate_id +TYPE: string +DEFAULT: none +LOC: Config.Accel.surrogate_id +DOC_START + Surrogates (http://www.esi.org/architecture_spec_1.0.html) + need an identification token to allow control targeting. Because + a farm of surrogates may all perform the same tasks, they may share + an identification token. + + The default ID is the visible_hostname +DOC_END + +NAME: http_accel_surrogate_remote +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.surrogate_is_remote +DOC_START + Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. + Set this to on to have squid behave as a remote surrogate. +DOC_END + +NAME: esi_parser +IFDEF: USE_SQUID_ESI +COMMENT: libxml2|expat|custom +TYPE: string +LOC: ESIParser::Type +DEFAULT: custom +DOC_START + ESI markup is not strictly XML compatible. The custom ESI parser + will give higher performance, but cannot handle non ASCII character + encodings. +DOC_END + +COMMENT_START + DELAY POOL PARAMETERS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: delay_pools +TYPE: delay_pool_count +DEFAULT: 0 +IFDEF: DELAY_POOLS +LOC: Config.Delay +DOC_START + This represents the number of delay pools to be used. For example, + if you have one class 2 delay pool and one class 3 delays pool, you + have a total of 2 delay pools. +DOC_END + +NAME: delay_class +TYPE: delay_pool_class +DEFAULT: none +IFDEF: DELAY_POOLS +LOC: Config.Delay +DOC_START + This defines the class of each delay pool. There must be exactly one + delay_class line for each delay pool. For example, to define two + delay pools, one of class 2 and one of class 3, the settings above + and here would be: + + Example: + delay_pools 4 # 4 delay pools + delay_class 1 2 # pool 1 is a class 2 pool + delay_class 2 3 # pool 2 is a class 3 pool + delay_class 3 4 # pool 3 is a class 4 pool + delay_class 4 5 # pool 4 is a class 5 pool + + The delay pool classes are: + + class 1 Everything is limited by a single aggregate + bucket. + + class 2 Everything is limited by a single aggregate + bucket as well as an "individual" bucket chosen + from bits 25 through 32 of the IPv4 address. + + class 3 Everything is limited by a single aggregate + bucket as well as a "network" bucket chosen + from bits 17 through 24 of the IP address and a + "individual" bucket chosen from bits 17 through + 32 of the IPv4 address. + + class 4 Everything in a class 3 delay pool, with an + additional limit on a per user basis. This + only takes effect if the username is established + in advance - by forcing authentication in your + http_access rules. + + class 5 Requests are grouped according their tag (see + external_acl's tag= reply). + + NOTE: If an IP address is a.b.c.d + -> bits 25 through 32 are "d" + -> bits 17 through 24 are "c" + -> bits 17 through 32 are "c * 256 + d" + + NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to + IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. +DOC_END + +NAME: delay_access +TYPE: delay_pool_access +DEFAULT: none +IFDEF: DELAY_POOLS +LOC: Config.Delay +DOC_START + This is used to determine which delay pool a request falls into. + + delay_access is sorted per pool and the matching starts with pool 1, + then pool 2, ..., and finally pool N. The first delay pool where the + request is allowed is selected for the request. If it does not allow + the request to any pool then the request is not delayed (default). + + For example, if you want some_big_clients in delay + pool 1 and lotsa_little_clients in delay pool 2: + +Example: + delay_access 1 allow some_big_clients + delay_access 1 deny all + delay_access 2 allow lotsa_little_clients + delay_access 2 deny all + delay_access 3 allow authenticated_clients +DOC_END + +NAME: delay_parameters +TYPE: delay_pool_rates +DEFAULT: none +IFDEF: DELAY_POOLS +LOC: Config.Delay +DOC_START + This defines the parameters for a delay pool. Each delay pool has + a number of "buckets" associated with it, as explained in the + description of delay_class. For a class 1 delay pool, the syntax is: + +delay_parameters pool aggregate + + For a class 2 delay pool: + +delay_parameters pool aggregate individual + + For a class 3 delay pool: + +delay_parameters pool aggregate network individual + + For a class 4 delay pool: + +delay_parameters pool aggregate network individual user + + For a class 5 delay pool: + +delay_parameters pool tag + + The variables here are: + + pool a pool number - ie, a number between 1 and the + number specified in delay_pools as used in + delay_class lines. + + aggregate the "delay parameters" for the aggregate bucket + (class 1, 2, 3). + + individual the "delay parameters" for the individual + buckets (class 2, 3). + + network the "delay parameters" for the network buckets + (class 3). + + user the delay parameters for the user buckets + (class 4). + + tag the delay parameters for the tag buckets + (class 5). + + A pair of delay parameters is written restore/maximum, where restore is + the number of bytes (not bits - modem and network speeds are usually + quoted in bits) per second placed into the bucket, and maximum is the + maximum number of bytes which can be in the bucket at any time. + + For example, if delay pool number 1 is a class 2 delay pool as in the + above example, and is being used to strictly limit each host to 64kbps + (plus overheads), with no overall limit, the line is: + +delay_parameters 1 -1/-1 8000/8000 + + Note that the figure -1 is used to represent "unlimited". + + And, if delay pool number 2 is a class 3 delay pool as in the above + example, and you want to limit it to a total of 256kbps (strict limit) + with each 8-bit network permitted 64kbps (strict limit) and each + individual host permitted 4800bps with a bucket maximum size of 64kb + to permit a decent web page to be downloaded at a decent speed + (if the network is not being limited due to overuse) but slow down + large downloads more significantly: + +delay_parameters 2 32000/32000 8000/8000 600/8000 + + There must be one delay_parameters line for each delay pool. + + Finally, for a class 4 delay pool as in the example - each user will + be limited to 128Kb no matter how many workstations they are logged into.: + +delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 +DOC_END + +NAME: delay_initial_bucket_level +COMMENT: (percent, 0-100) +TYPE: ushort +DEFAULT: 50 +IFDEF: DELAY_POOLS +LOC: Config.Delay.initial +DOC_START + The initial bucket percentage is used to determine how much is put + in each bucket when squid starts, is reconfigured, or first notices + a host accessing it (in class 2 and class 3, individual hosts and + networks only have buckets associated with them once they have been + "seen" by squid). +DOC_END + +COMMENT_START + WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: wccp_router +TYPE: address +LOC: Config.Wccp.router +DEFAULT: any_addr +IFDEF: USE_WCCP +DOC_START + Use this option to define your WCCP ``home'' router for + Squid. + + wccp_router supports a single WCCP(v1) router + + wccp2_router supports multiple WCCPv2 routers + + only one of the two may be used at the same time and defines + which version of WCCP to use. +DOC_END + +NAME: wccp2_router +TYPE: IpAddress_list +LOC: Config.Wccp2.router +DEFAULT: none +IFDEF: USE_WCCPv2 +DOC_START + Use this option to define your WCCP ``home'' router for + Squid. + + wccp_router supports a single WCCP(v1) router + + wccp2_router supports multiple WCCPv2 routers + + only one of the two may be used at the same time and defines + which version of WCCP to use. +DOC_END + +NAME: wccp_version +TYPE: int +LOC: Config.Wccp.version +DEFAULT: 4 +IFDEF: USE_WCCP +DOC_START + This directive is only relevant if you need to set up WCCP(v1) + to some very old and end-of-life Cisco routers. In all other + setups it must be left unset or at the default setting. + It defines an internal version in the WCCP(v1) protocol, + with version 4 being the officially documented protocol. + + According to some users, Cisco IOS 11.2 and earlier only + support WCCP version 3. If you're using that or an earlier + version of IOS, you may need to change this value to 3, otherwise + do not specify this parameter. +DOC_END + +NAME: wccp2_rebuild_wait +TYPE: onoff +LOC: Config.Wccp2.rebuildwait +DEFAULT: on +IFDEF: USE_WCCPv2 +DOC_START + If this is enabled Squid will wait for the cache dir rebuild to finish + before sending the first wccp2 HereIAm packet +DOC_END + +NAME: wccp2_forwarding_method +TYPE: wccp2_method +LOC: Config.Wccp2.forwarding_method +DEFAULT: gre +IFDEF: USE_WCCPv2 +DOC_START + WCCP2 allows the setting of forwarding methods between the + router/switch and the cache. Valid values are as follows: + + gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) + l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) + + Currently (as of IOS 12.4) cisco routers only support GRE. + Cisco switches only support the L2 redirect assignment method. +DOC_END + +NAME: wccp2_return_method +TYPE: wccp2_method +LOC: Config.Wccp2.return_method +DEFAULT: gre +IFDEF: USE_WCCPv2 +DOC_START + WCCP2 allows the setting of return methods between the + router/switch and the cache for packets that the cache + decides not to handle. Valid values are as follows: + + gre - GRE encapsulation (forward the packet in a GRE/WCCP tunnel) + l2 - L2 redirect (forward the packet using Layer 2/MAC rewriting) + + Currently (as of IOS 12.4) cisco routers only support GRE. + Cisco switches only support the L2 redirect assignment. + + If the "ip wccp redirect exclude in" command has been + enabled on the cache interface, then it is still safe for + the proxy server to use a l2 redirect method even if this + option is set to GRE. +DOC_END + +NAME: wccp2_assignment_method +TYPE: wccp2_amethod +LOC: Config.Wccp2.assignment_method +DEFAULT: hash +IFDEF: USE_WCCPv2 +DOC_START + WCCP2 allows the setting of methods to assign the WCCP hash + Valid values are as follows: + + hash - Hash assignment + mask - Mask assignment + + As a general rule, cisco routers support the hash assignment method + and cisco switches support the mask assignment method. +DOC_END + +NAME: wccp2_service +TYPE: wccp2_service +LOC: Config.Wccp2.info +DEFAULT: none +DEFAULT_IF_NONE: standard 0 +IFDEF: USE_WCCPv2 +DOC_START + WCCP2 allows for multiple traffic services. There are two + types: "standard" and "dynamic". The standard type defines + one service id - http (id 0). The dynamic service ids can be from + 51 to 255 inclusive. In order to use a dynamic service id + one must define the type of traffic to be redirected; this is done + using the wccp2_service_info option. + + The "standard" type does not require a wccp2_service_info option, + just specifying the service id will suffice. + + MD5 service authentication can be enabled by adding + "password=" to the end of this service declaration. + + Examples: + + wccp2_service standard 0 # for the 'web-cache' standard service + wccp2_service dynamic 80 # a dynamic service type which will be + # fleshed out with subsequent options. + wccp2_service standard 0 password=foo +DOC_END + +NAME: wccp2_service_info +TYPE: wccp2_service_info +LOC: Config.Wccp2.info +DEFAULT: none +IFDEF: USE_WCCPv2 +DOC_START + Dynamic WCCPv2 services require further information to define the + traffic you wish to have diverted. + + The format is: + + wccp2_service_info protocol= flags=,.. + priority= ports=,.. + + The relevant WCCPv2 flags: + + src_ip_hash, dst_ip_hash + + source_port_hash, dst_port_hash + + src_ip_alt_hash, dst_ip_alt_hash + + src_port_alt_hash, dst_port_alt_hash + + ports_source + + The port list can be one to eight entries. + + Example: + + wccp2_service_info 80 protocol=tcp flags=src_ip_hash,ports_source + priority=240 ports=80 + + Note: the service id must have been defined by a previous + 'wccp2_service dynamic ' entry. +DOC_END + +NAME: wccp2_weight +TYPE: int +LOC: Config.Wccp2.weight +DEFAULT: 10000 +IFDEF: USE_WCCPv2 +DOC_START + Each cache server gets assigned a set of the destination + hash proportional to their weight. +DOC_END + +NAME: wccp_address +TYPE: address +LOC: Config.Wccp.address +DEFAULT: 0.0.0.0 +IFDEF: USE_WCCP +DOC_NONE + +NAME: wccp2_address +TYPE: address +LOC: Config.Wccp2.address +DEFAULT: 0.0.0.0 +IFDEF: USE_WCCPv2 +DOC_START + Use this option if you require WCCP to use a specific + interface address. + + The default behavior is to not bind to any specific address. +DOC_END + +COMMENT_START + PERSISTENT CONNECTION HANDLING + ----------------------------------------------------------------------------- + + Also see "pconn_timeout" in the TIMEOUTS section +COMMENT_END + +NAME: client_persistent_connections +TYPE: onoff +LOC: Config.onoff.client_pconns +DEFAULT: on +DOC_NONE + +NAME: server_persistent_connections +TYPE: onoff +LOC: Config.onoff.server_pconns +DEFAULT: on +DOC_START + Persistent connection support for clients and servers. By + default, Squid uses persistent connections (when allowed) + with its clients and servers. You can use these options to + disable persistent connections with clients and/or servers. +DOC_END + +NAME: persistent_connection_after_error +TYPE: onoff +LOC: Config.onoff.error_pconns +DEFAULT: off +DOC_START + With this directive the use of persistent connections after + HTTP errors can be disabled. Useful if you have clients + who fail to handle errors on persistent connections proper. +DOC_END + +NAME: detect_broken_pconn +TYPE: onoff +LOC: Config.onoff.detect_broken_server_pconns +DEFAULT: off +DOC_START + Some servers have been found to incorrectly signal the use + of HTTP/1.0 persistent connections even on replies not + compatible, causing significant delays. This server problem + has mostly been seen on redirects. + + By enabling this directive Squid attempts to detect such + broken replies and automatically assume the reply is finished + after 10 seconds timeout. +DOC_END + +COMMENT_START + CACHE DIGEST OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: digest_generation +IFDEF: USE_CACHE_DIGESTS +TYPE: onoff +LOC: Config.onoff.digest_generation +DEFAULT: on +DOC_START + This controls whether the server will generate a Cache Digest + of its contents. By default, Cache Digest generation is + enabled if Squid is compiled with --enable-cache-digests defined. +DOC_END + +NAME: digest_bits_per_entry +IFDEF: USE_CACHE_DIGESTS +TYPE: int +LOC: Config.digest.bits_per_entry +DEFAULT: 5 +DOC_START + This is the number of bits of the server's Cache Digest which + will be associated with the Digest entry for a given HTTP + Method and URL (public key) combination. The default is 5. +DOC_END + +NAME: digest_rebuild_period +IFDEF: USE_CACHE_DIGESTS +COMMENT: (seconds) +TYPE: time_t +LOC: Config.digest.rebuild_period +DEFAULT: 1 hour +DOC_START + This is the wait time between Cache Digest rebuilds. +DOC_END + +NAME: digest_rewrite_period +COMMENT: (seconds) +IFDEF: USE_CACHE_DIGESTS +TYPE: time_t +LOC: Config.digest.rewrite_period +DEFAULT: 1 hour +DOC_START + This is the wait time between Cache Digest writes to + disk. +DOC_END + +NAME: digest_swapout_chunk_size +COMMENT: (bytes) +TYPE: b_size_t +IFDEF: USE_CACHE_DIGESTS +LOC: Config.digest.swapout_chunk_size +DEFAULT: 4096 bytes +DOC_START + This is the number of bytes of the Cache Digest to write to + disk at a time. It defaults to 4096 bytes (4KB), the Squid + default swap page. +DOC_END + +NAME: digest_rebuild_chunk_percentage +COMMENT: (percent, 0-100) +IFDEF: USE_CACHE_DIGESTS +TYPE: int +LOC: Config.digest.rebuild_chunk_percentage +DEFAULT: 10 +DOC_START + This is the percentage of the Cache Digest to be scanned at a + time. By default it is set to 10% of the Cache Digest. +DOC_END + +COMMENT_START + SNMP OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: snmp_port +TYPE: ushort +LOC: Config.Port.snmp +DEFAULT: 0 +IFDEF: SQUID_SNMP +DOC_START + The port number where Squid listens for SNMP requests. To enable + SNMP support set this to a suitable port number. Port number + 3401 is often used for the Squid SNMP agent. By default it's + set to "0" (disabled) + + Example: + snmp_port 3401 +DOC_END + +NAME: snmp_access +TYPE: acl_access +LOC: Config.accessList.snmp +DEFAULT: none +DEFAULT_IF_NONE: deny all +IFDEF: SQUID_SNMP +DOC_START + Allowing or denying access to the SNMP port. + + All access to the agent is denied by default. + usage: + + snmp_access allow|deny [!]aclname ... + + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +Example: + snmp_access allow snmppublic localhost + snmp_access deny all +DOC_END + +NAME: snmp_incoming_address +TYPE: address +LOC: Config.Addrs.snmp_incoming +DEFAULT: any_addr +IFDEF: SQUID_SNMP +DOC_NONE + +NAME: snmp_outgoing_address +TYPE: address +LOC: Config.Addrs.snmp_outgoing +DEFAULT: no_addr +IFDEF: SQUID_SNMP +DOC_START + Just like 'udp_incoming_address', but for the SNMP port. + + snmp_incoming_address is used for the SNMP socket receiving + messages from SNMP agents. + snmp_outgoing_address is used for SNMP packets returned to SNMP + agents. + + The default snmp_incoming_address is to listen on all + available network interfaces. + + If snmp_outgoing_address is not set it will use the same socket + as snmp_incoming_address. Only change this if you want to have + SNMP replies sent using another address than where this Squid + listens for SNMP queries. + + NOTE, snmp_incoming_address and snmp_outgoing_address can not have + the same value since they both use port 3401. +DOC_END + +COMMENT_START + ICP OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: icp_port udp_port +TYPE: ushort +DEFAULT: 0 +LOC: Config.Port.icp +DOC_START + The port number where Squid sends and receives ICP queries to + and from neighbor caches. The standard UDP port for ICP is 3130. + Default is disabled (0). + + Example: + icp_port @DEFAULT_ICP_PORT@ +DOC_END + +NAME: htcp_port +IFDEF: USE_HTCP +TYPE: ushort +DEFAULT: 0 +LOC: Config.Port.htcp +DOC_START + The port number where Squid sends and receives HTCP queries to + and from neighbor caches. To turn it on you want to set it to + 4827. By default it is set to "0" (disabled). + + Example: + htcp_port 4827 +DOC_END + +NAME: log_icp_queries +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.log_udp +DOC_START + If set, ICP queries are logged to access.log. You may wish + do disable this if your ICP load is VERY high to speed things + up or to simplify log analysis. +DOC_END + +NAME: udp_incoming_address +TYPE: address +LOC:Config.Addrs.udp_incoming +DEFAULT: any_addr +DOC_START + udp_incoming_address is used for UDP packets received from other + caches. + + The default behavior is to not bind to any specific address. + + Only change this if you want to have all UDP queries received on + a specific interface/address. + + NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS + modules. Altering it will affect all of them in the same manner. + + see also; udp_outgoing_address + + NOTE, udp_incoming_address and udp_outgoing_address can not + have the same value since they both use the same port. +DOC_END + +NAME: udp_outgoing_address +TYPE: address +LOC: Config.Addrs.udp_outgoing +DEFAULT: no_addr +DOC_START + udp_outgoing_address is used for UDP packets sent out to other + caches. + + The default behavior is to not bind to any specific address. + + Instead it will use the same socket as udp_incoming_address. + Only change this if you want to have UDP queries sent using another + address than where this Squid listens for UDP queries from other + caches. + + NOTE: udp_outgoing_address is used by the ICP, HTCP, and DNS + modules. Altering it will affect all of them in the same manner. + + see also; udp_incoming_address + + NOTE, udp_incoming_address and udp_outgoing_address can not + have the same value since they both use the same port. +DOC_END + +NAME: icp_hit_stale +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.icp_hit_stale +DOC_START + If you want to return ICP_HIT for stale cache objects, set this + option to 'on'. If you have sibling relationships with caches + in other administrative domains, this should be 'off'. If you only + have sibling relationships with caches under your control, + it is probably okay to set this to 'on'. + If set to 'on', your siblings should use the option "allow-miss" + on their cache_peer lines for connecting to you. +DOC_END + +NAME: minimum_direct_hops +TYPE: int +DEFAULT: 4 +LOC: Config.minDirectHops +DOC_START + If using the ICMP pinging stuff, do direct fetches for sites + which are no more than this many hops away. +DOC_END + +NAME: minimum_direct_rtt +TYPE: int +DEFAULT: 400 +LOC: Config.minDirectRtt +DOC_START + If using the ICMP pinging stuff, do direct fetches for sites + which are no more than this many rtt milliseconds away. +DOC_END + +NAME: netdb_low +TYPE: int +DEFAULT: 900 +LOC: Config.Netdb.low +DOC_NONE + +NAME: netdb_high +TYPE: int +DEFAULT: 1000 +LOC: Config.Netdb.high +DOC_START + The low and high water marks for the ICMP measurement + database. These are counts, not percents. The defaults are + 900 and 1000. When the high water mark is reached, database + entries will be deleted until the low mark is reached. +DOC_END + +NAME: netdb_ping_period +TYPE: time_t +LOC: Config.Netdb.period +DEFAULT: 5 minutes +DOC_START + The minimum period for measuring a site. There will be at + least this much delay between successive pings to the same + network. The default is five minutes. +DOC_END + +NAME: query_icmp +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.query_icmp +DOC_START + If you want to ask your peers to include ICMP data in their ICP + replies, enable this option. + + If your peer has configured Squid (during compilation) with + '--enable-icmp' that peer will send ICMP pings to origin server + sites of the URLs it receives. If you enable this option the + ICP replies from that peer will include the ICMP data (if available). + Then, when choosing a parent cache, Squid will choose the parent with + the minimal RTT to the origin server. When this happens, the + hierarchy field of the access.log will be + "CLOSEST_PARENT_MISS". This option is off by default. +DOC_END + +NAME: test_reachability +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.test_reachability +DOC_START + When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH + instead of ICP_MISS if the target host is NOT in the ICMP + database, or has a zero RTT. +DOC_END + +NAME: icp_query_timeout +COMMENT: (msec) +DEFAULT: 0 +TYPE: int +LOC: Config.Timeout.icp_query +DOC_START + Normally Squid will automatically determine an optimal ICP + query timeout value based on the round-trip-time of recent ICP + queries. If you want to override the value determined by + Squid, set this 'icp_query_timeout' to a non-zero value. This + value is specified in MILLISECONDS, so, to use a 2-second + timeout (the old default), you would write: + + icp_query_timeout 2000 +DOC_END + +NAME: maximum_icp_query_timeout +COMMENT: (msec) +DEFAULT: 2000 +TYPE: int +LOC: Config.Timeout.icp_query_max +DOC_START + Normally the ICP query timeout is determined dynamically. But + sometimes it can lead to very large values (say 5 seconds). + Use this option to put an upper limit on the dynamic timeout + value. Do NOT use this option to always use a fixed (instead + of a dynamic) timeout value. To set a fixed timeout see the + 'icp_query_timeout' directive. +DOC_END + +NAME: minimum_icp_query_timeout +COMMENT: (msec) +DEFAULT: 5 +TYPE: int +LOC: Config.Timeout.icp_query_min +DOC_START + Normally the ICP query timeout is determined dynamically. But + sometimes it can lead to very small timeouts, even lower than + the normal latency variance on your link due to traffic. + Use this option to put an lower limit on the dynamic timeout + value. Do NOT use this option to always use a fixed (instead + of a dynamic) timeout value. To set a fixed timeout see the + 'icp_query_timeout' directive. +DOC_END + +NAME: background_ping_rate +COMMENT: time-units +TYPE: time_t +DEFAULT: 10 seconds +LOC: Config.backgroundPingRate +DOC_START + Controls how often the ICP pings are sent to siblings that + have background-ping set. +DOC_END + +COMMENT_START + MULTICAST ICP OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: mcast_groups +TYPE: wordlist +LOC: Config.mcast_group_list +DEFAULT: none +DOC_START + This tag specifies a list of multicast groups which your server + should join to receive multicasted ICP queries. + + NOTE! Be very careful what you put here! Be sure you + understand the difference between an ICP _query_ and an ICP + _reply_. This option is to be set only if you want to RECEIVE + multicast queries. Do NOT set this option to SEND multicast + ICP (use cache_peer for that). ICP replies are always sent via + unicast, so this option does not affect whether or not you will + receive replies from multicast group members. + + You must be very careful to NOT use a multicast address which + is already in use by another group of caches. + + If you are unsure about multicast, please read the Multicast + chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). + + Usage: mcast_groups 239.128.16.128 224.0.1.20 + + By default, Squid doesn't listen on any multicast groups. +DOC_END + +NAME: mcast_miss_addr +IFDEF: MULTICAST_MISS_STREAM +TYPE: address +LOC: Config.mcast_miss.addr +DEFAULT: no_addr +DOC_START + If you enable this option, every "cache miss" URL will + be sent out on the specified multicast address. + + Do not enable this option unless you are are absolutely + certain you understand what you are doing. +DOC_END + +NAME: mcast_miss_ttl +IFDEF: MULTICAST_MISS_STREAM +TYPE: ushort +LOC: Config.mcast_miss.ttl +DEFAULT: 16 +DOC_START + This is the time-to-live value for packets multicasted + when multicasting off cache miss URLs is enabled. By + default this is set to 'site scope', i.e. 16. +DOC_END + +NAME: mcast_miss_port +IFDEF: MULTICAST_MISS_STREAM +TYPE: ushort +LOC: Config.mcast_miss.port +DEFAULT: 3135 +DOC_START + This is the port number to be used in conjunction with + 'mcast_miss_addr'. +DOC_END + +NAME: mcast_miss_encode_key +IFDEF: MULTICAST_MISS_STREAM +TYPE: string +LOC: Config.mcast_miss.encode_key +DEFAULT: XXXXXXXXXXXXXXXX +DOC_START + The URLs that are sent in the multicast miss stream are + encrypted. This is the encryption key. +DOC_END + +NAME: mcast_icp_query_timeout +COMMENT: (msec) +DEFAULT: 2000 +TYPE: int +LOC: Config.Timeout.mcast_icp_query +DOC_START + For multicast peers, Squid regularly sends out ICP "probes" to + count how many other peers are listening on the given multicast + address. This value specifies how long Squid should wait to + count all the replies. The default is 2000 msec, or 2 + seconds. +DOC_END + +COMMENT_START + INTERNAL ICON OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: icon_directory +TYPE: string +LOC: Config.icons.directory +DEFAULT: @DEFAULT_ICON_DIR@ +DOC_START + Where the icons are stored. These are normally kept in + @DEFAULT_ICON_DIR@ +DOC_END + +NAME: global_internal_static +TYPE: onoff +LOC: Config.onoff.global_internal_static +DEFAULT: on +DOC_START + This directive controls is Squid should intercept all requests for + /squid-internal-static/ no matter which host the URL is requesting + (default on setting), or if nothing special should be done for + such URLs (off setting). The purpose of this directive is to make + icons etc work better in complex cache hierarchies where it may + not always be possible for all corners in the cache mesh to reach + the server generating a directory listing. +DOC_END + +NAME: short_icon_urls +TYPE: onoff +LOC: Config.icons.use_short_names +DEFAULT: on +DOC_START + If this is enabled Squid will use short URLs for icons. + If disabled it will revert to the old behavior of including + it's own name and port in the URL. + + If you run a complex cache hierarchy with a mix of Squid and + other proxies you may need to disable this directive. +DOC_END + +COMMENT_START + ERROR PAGE OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: error_directory +TYPE: string +LOC: Config.errorDirectory +DEFAULT: none +DOC_START + If you wish to create your own versions of the default + error files to customize them to suit your company copy + the error/template files to another directory and point + this tag at them. + + WARNING: This option will disable multi-language support + on error pages if used. + + The squid developers are interested in making squid available in + a wide variety of languages. If you are making translations for a + language that Squid does not currently provide please consider + contributing your translation back to the project. + http://wiki.squid-cache.org/Translations + + The squid developers working on translations are happy to supply drop-in + translated error files in exchange for any new language contributions. +DOC_END + +NAME: error_default_language +IFDEF: USE_ERR_LOCALES +TYPE: string +LOC: Config.errorDefaultLanguage +DEFAULT: none +DOC_START + Set the default language which squid will send error pages in + if no existing translation matches the clients language + preferences. + + If unset (default) generic English will be used. + + The squid developers are interested in making squid available in + a wide variety of languages. If you are interested in making + translations for any language see the squid wiki for details. + http://wiki.squid-cache.org/Translations +DOC_END + +NAME: error_log_languages +IFDEF: USE_ERR_LOCALES +TYPE: onoff +LOC: Config.errorLogMissingLanguages +DEFAULT: on +DOC_START + Log to cache.log what languages users are attempting to + auto-negotiate for translations. + + Successful negotiations are not logged. Only failures + have meaning to indicate that Squid may need an upgrade + of its error page translations. +DOC_END + +NAME: err_page_stylesheet +TYPE: string +LOC: Config.errorStylesheet +DEFAULT: @DEFAULT_CONFIG_DIR@/errorpage.css +DOC_START + CSS Stylesheet to pattern the display of Squid default error pages. + + For information on CSS see http://www.w3.org/Style/CSS/ +DOC_END + +NAME: err_html_text +TYPE: eol +LOC: Config.errHtmlText +DEFAULT: none +DOC_START + HTML text to include in error messages. Make this a "mailto" + URL to your admin address, or maybe just a link to your + organizations Web page. + + To include this in your error messages, you must rewrite + the error template files (found in the "errors" directory). + Wherever you want the 'err_html_text' line to appear, + insert a %L tag in the error template file. +DOC_END + +NAME: email_err_data +COMMENT: on|off +TYPE: onoff +LOC: Config.onoff.emailErrData +DEFAULT: on +DOC_START + If enabled, information about the occurred error will be + included in the mailto links of the ERR pages (if %W is set) + so that the email body contains the data. + Syntax is %w +DOC_END + +NAME: deny_info +TYPE: denyinfo +LOC: Config.denyInfoList +DEFAULT: none +DOC_START + Usage: deny_info err_page_name acl + or deny_info http://... acl + or deny_info TCP_RESET acl + + This can be used to return a ERR_ page for requests which + do not pass the 'http_access' rules. Squid remembers the last + acl it evaluated in http_access, and if a 'deny_info' line exists + for that ACL Squid returns a corresponding error page. + + The acl is typically the last acl on the http_access deny line which + denied access. The exceptions to this rule are: + - When Squid needs to request authentication credentials. It's then + the first authentication related acl encountered + - When none of the http_access lines matches. It's then the last + acl processed on the last http_access line. + + NP: If providing your own custom error pages with error_directory + you may also specify them by your custom file name: + Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys + + Alternatively you can tell Squid to reset the TCP connection + by specifying TCP_RESET. + + Or you can specify an error URL or URL pattern. The browsers will + get redirected (302) to the specified URL after formattgin tags have + been replaced. + + URL FORMAT TAGS: + %a - username (if available. Password NOT included) + %B - FTP path URL + %e - Error number + %E - Error description + %h - Squid hostname + %H - Request domain name + %i - Client IP Address + %M - Request Method + %o - Message result from external ACL helper + %p - Request Port number + %P - Request Protocol name + %R - Request URL path + %T - Timestamp in RFC 1123 format + %U - Full canonical URL from client + (HTTPS URLs terminate with *) + %u - Full canonical URL from client + %w - Admin email from squid.conf + %% - Literal percent (%) code + +DOC_END + +COMMENT_START + OPTIONS INFLUENCING REQUEST FORWARDING + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: nonhierarchical_direct +TYPE: onoff +LOC: Config.onoff.nonhierarchical_direct +DEFAULT: on +DOC_START + By default, Squid will send any non-hierarchical requests + (matching hierarchy_stoplist or not cacheable request type) direct + to origin servers. + + If you set this to off, Squid will prefer to send these + requests to parents. + + Note that in most configurations, by turning this off you will only + add latency to these request without any improvement in global hit + ratio. + + If you are inside an firewall see never_direct instead of + this directive. +DOC_END + +NAME: prefer_direct +TYPE: onoff +LOC: Config.onoff.prefer_direct +DEFAULT: off +DOC_START + Normally Squid tries to use parents for most requests. If you for some + reason like it to first try going direct and only use a parent if + going direct fails set this to on. + + By combining nonhierarchical_direct off and prefer_direct on you + can set up Squid to use a parent as a backup path if going direct + fails. + + Note: If you want Squid to use parents for all requests see + the never_direct directive. prefer_direct only modifies how Squid + acts on cacheable requests. +DOC_END + +NAME: always_direct +TYPE: acl_access +LOC: Config.accessList.AlwaysDirect +DEFAULT: none +DOC_START + Usage: always_direct allow|deny [!]aclname ... + + Here you can use ACL elements to specify requests which should + ALWAYS be forwarded by Squid to the origin servers without using + any peers. For example, to always directly forward requests for + local servers ignoring any parents or siblings you may have use + something like: + + acl local-servers dstdomain my.domain.net + always_direct allow local-servers + + To always forward FTP requests directly, use + + acl FTP proto FTP + always_direct allow FTP + + NOTE: There is a similar, but opposite option named + 'never_direct'. You need to be aware that "always_direct deny + foo" is NOT the same thing as "never_direct allow foo". You + may need to use a deny rule to exclude a more-specific case of + some other rule. Example: + + acl local-external dstdomain external.foo.net + acl local-servers dstdomain .foo.net + always_direct deny local-external + always_direct allow local-servers + + NOTE: If your goal is to make the client forward the request + directly to the origin server bypassing Squid then this needs + to be done in the client configuration. Squid configuration + can only tell Squid how Squid should fetch the object. + + NOTE: This directive is not related to caching. The replies + is cached as usual even if you use always_direct. To not cache + the replies see the 'cache' directive. + + This clause supports both fast and slow acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +DOC_END + +NAME: never_direct +TYPE: acl_access +LOC: Config.accessList.NeverDirect +DEFAULT: none +DOC_START + Usage: never_direct allow|deny [!]aclname ... + + never_direct is the opposite of always_direct. Please read + the description for always_direct if you have not already. + + With 'never_direct' you can use ACL elements to specify + requests which should NEVER be forwarded directly to origin + servers. For example, to force the use of a proxy for all + requests, except those in your local domain use something like: + + acl local-servers dstdomain .foo.net + never_direct deny local-servers + never_direct allow all + + or if Squid is inside a firewall and there are local intranet + servers inside the firewall use something like: + + acl local-intranet dstdomain .foo.net + acl local-external dstdomain external.foo.net + always_direct deny local-external + always_direct allow local-intranet + never_direct allow all + + This clause supports both fast and slow acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. +DOC_END + +COMMENT_START + ADVANCED NETWORKING OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: incoming_icp_average +TYPE: int +DEFAULT: 6 +LOC: Config.comm_incoming.icp_average +DOC_NONE + +NAME: incoming_http_average +TYPE: int +DEFAULT: 4 +LOC: Config.comm_incoming.http_average +DOC_NONE + +NAME: incoming_dns_average +TYPE: int +DEFAULT: 4 +LOC: Config.comm_incoming.dns_average +DOC_NONE + +NAME: min_icp_poll_cnt +TYPE: int +DEFAULT: 8 +LOC: Config.comm_incoming.icp_min_poll +DOC_NONE + +NAME: min_dns_poll_cnt +TYPE: int +DEFAULT: 8 +LOC: Config.comm_incoming.dns_min_poll +DOC_NONE + +NAME: min_http_poll_cnt +TYPE: int +DEFAULT: 8 +LOC: Config.comm_incoming.http_min_poll +DOC_START + Heavy voodoo here. I can't even believe you are reading this. + Are you crazy? Don't even think about adjusting these unless + you understand the algorithms in comm_select.c first! +DOC_END + +NAME: accept_filter +TYPE: string +DEFAULT: none +LOC: Config.accept_filter +DOC_START + FreeBSD: + + The name of an accept(2) filter to install on Squid's + listen socket(s). This feature is perhaps specific to + FreeBSD and requires support in the kernel. + + The 'httpready' filter delays delivering new connections + to Squid until a full HTTP request has been received. + See the accf_http(9) man page for details. + + The 'dataready' filter delays delivering new connections + to Squid until there is some data to process. + See the accf_dataready(9) man page for details. + + Linux: + + The 'data' filter delays delivering of new connections + to Squid until there is some data to process by TCP_ACCEPT_DEFER. + You may optionally specify a number of seconds to wait by + 'data=N' where N is the number of seconds. Defaults to 30 + if not specified. See the tcp(7) man page for details. +EXAMPLE: +# FreeBSD +accept_filter httpready +# Linux +accept_filter data +DOC_END + +NAME: client_ip_max_connections +TYPE: int +LOC: Config.client_ip_max_connections +DEFAULT: -1 +DOC_START + Set an absolute limit on the number of connections a single + client IP can use. Any more than this and Squid will begin to drop + new connections from the client until it closes some links. + + Note that this is a global limit. It affects all HTTP, HTCP, Gopher and FTP + connections from the client. For finer control use the ACL access controls. + + Requires client_db to be enabled (the default). + + WARNING: This may noticably slow down traffic received via external proxies + or NAT devices and cause them to rebound error messages back to their clients. +DOC_END + +NAME: tcp_recv_bufsize +COMMENT: (bytes) +TYPE: b_size_t +DEFAULT: 0 bytes +LOC: Config.tcpRcvBufsz +DOC_START + Size of receive buffer to set for TCP sockets. Probably just + as easy to change your kernel's default. Set to zero to use + the default buffer size. +DOC_END + +COMMENT_START + ICAP OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: icap_enable +TYPE: onoff +IFDEF: ICAP_CLIENT +COMMENT: on|off +LOC: Adaptation::Icap::TheConfig.onoff +DEFAULT: off +DOC_START + If you want to enable the ICAP module support, set this to on. +DOC_END + +NAME: icap_connect_timeout +TYPE: time_t +DEFAULT: none +LOC: Adaptation::Icap::TheConfig.connect_timeout_raw +IFDEF: ICAP_CLIENT +DOC_START + This parameter specifies how long to wait for the TCP connect to + the requested ICAP server to complete before giving up and either + terminating the HTTP transaction or bypassing the failure. + + The default for optional services is peer_connect_timeout. + The default for essential services is connect_timeout. + If this option is explicitly set, its value applies to all services. +DOC_END + +NAME: icap_io_timeout +COMMENT: time-units +TYPE: time_t +DEFAULT: none +LOC: Adaptation::Icap::TheConfig.io_timeout_raw +IFDEF: ICAP_CLIENT +DOC_START + This parameter specifies how long to wait for an I/O activity on + an established, active ICAP connection before giving up and + either terminating the HTTP transaction or bypassing the + failure. + + The default is read_timeout. +DOC_END + +NAME: icap_service_failure_limit +COMMENT: limit [in memory-depth time-units] +TYPE: icap_service_failure_limit +IFDEF: ICAP_CLIENT +LOC: Adaptation::Icap::TheConfig +DEFAULT: 10 +DOC_START + The limit specifies the number of failures that Squid tolerates + when establishing a new TCP connection with an ICAP service. If + the number of failures exceeds the limit, the ICAP service is + not used for new ICAP requests until it is time to refresh its + OPTIONS. + + A negative value disables the limit. Without the limit, an ICAP + service will not be considered down due to connectivity failures + between ICAP OPTIONS requests. + + Squid forgets ICAP service failures older than the specified + value of memory-depth. The memory fading algorithm + is approximate because Squid does not remember individual + errors but groups them instead, splitting the option + value into ten time slots of equal length. + + When memory-depth is 0 and by default this option has no + effect on service failure expiration. + + Squid always forgets failures when updating service settings + using an ICAP OPTIONS transaction, regardless of this option + setting. + + For example, + # suspend service usage after 10 failures in 5 seconds: + icap_service_failure_limit 10 in 5 seconds +DOC_END + +NAME: icap_service_revival_delay +TYPE: int +IFDEF: ICAP_CLIENT +LOC: Adaptation::Icap::TheConfig.service_revival_delay +DEFAULT: 180 +DOC_START + The delay specifies the number of seconds to wait after an ICAP + OPTIONS request failure before requesting the options again. The + failed ICAP service is considered "down" until fresh OPTIONS are + fetched. + + The actual delay cannot be smaller than the hardcoded minimum + delay of 30 seconds. +DOC_END + +NAME: icap_preview_enable +TYPE: onoff +IFDEF: ICAP_CLIENT +COMMENT: on|off +LOC: Adaptation::Icap::TheConfig.preview_enable +DEFAULT: on +DOC_START + The ICAP Preview feature allows the ICAP server to handle the + HTTP message by looking only at the beginning of the message body + or even without receiving the body at all. In some environments, + previews greatly speedup ICAP processing. + + During an ICAP OPTIONS transaction, the server may tell Squid what + HTTP messages should be previewed and how big the preview should be. + Squid will not use Preview if the server did not request one. + + To disable ICAP Preview for all ICAP services, regardless of + individual ICAP server OPTIONS responses, set this option to "off". +Example: +icap_preview_enable off +DOC_END + +NAME: icap_preview_size +TYPE: int +IFDEF: ICAP_CLIENT +LOC: Adaptation::Icap::TheConfig.preview_size +DEFAULT: -1 +DOC_START + The default size of preview data to be sent to the ICAP server. + -1 means no preview. This value might be overwritten on a per server + basis by OPTIONS requests. +DOC_END + +NAME: icap_default_options_ttl +TYPE: int +IFDEF: ICAP_CLIENT +LOC: Adaptation::Icap::TheConfig.default_options_ttl +DEFAULT: 60 +DOC_START + The default TTL value for ICAP OPTIONS responses that don't have + an Options-TTL header. +DOC_END + +NAME: icap_persistent_connections +TYPE: onoff +IFDEF: ICAP_CLIENT +COMMENT: on|off +LOC: Adaptation::Icap::TheConfig.reuse_connections +DEFAULT: on +DOC_START + Whether or not Squid should use persistent connections to + an ICAP server. +DOC_END + +NAME: icap_send_client_ip +TYPE: onoff +IFDEF: ICAP_CLIENT +COMMENT: on|off +LOC: Adaptation::Icap::TheConfig.send_client_ip +DEFAULT: off +DOC_START + This adds the header "X-Client-IP" to ICAP requests. +DOC_END + +NAME: icap_send_client_username +TYPE: onoff +IFDEF: ICAP_CLIENT +COMMENT: on|off +LOC: Adaptation::Icap::TheConfig.send_client_username +DEFAULT: off +DOC_START + This sends authenticated HTTP client username (if available) to + the ICAP service. The username value is encoded based on the + icap_client_username_encode option and is sent using the header + specified by the icap_client_username_header option. +DOC_END + +NAME: icap_client_username_header +TYPE: string +IFDEF: ICAP_CLIENT +LOC: Adaptation::Icap::TheConfig.client_username_header +DEFAULT: X-Client-Username +DOC_START + ICAP request header name to use for send_client_username. +DOC_END + +NAME: icap_client_username_encode +TYPE: onoff +IFDEF: ICAP_CLIENT +COMMENT: on|off +LOC: Adaptation::Icap::TheConfig.client_username_encode +DEFAULT: off +DOC_START + Whether to base64 encode the authenticated client username. +DOC_END + +NAME: icap_service +TYPE: icap_service_type +IFDEF: ICAP_CLIENT +LOC: Adaptation::Icap::TheConfig +DEFAULT: none +DOC_START + Defines a single ICAP service using the following format: + + icap_service service_name vectoring_point [options] service_url + + service_name: ID + an opaque identifier which must be unique in squid.conf + + vectoring_point: reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache + This specifies at which point of transaction processing the + ICAP service should be activated. *_postcache vectoring points + are not yet supported. + + service_url: icap://servername:port/servicepath + ICAP server and service location. + + ICAP does not allow a single service to handle both REQMOD and RESPMOD + transactions. Squid does not enforce that requirement. You can specify + services with the same service_url and different vectoring_points. You + can even specify multiple identical services as long as their + service_names differ. + + + Service options are separated by white space. ICAP services support + the following name=value options: + + bypass=on|off|1|0 + If set to 'on' or '1', the ICAP service is treated as + optional. If the service cannot be reached or malfunctions, + Squid will try to ignore any errors and process the message as + if the service was not enabled. No all ICAP errors can be + bypassed. If set to 0, the ICAP service is treated as + essential and all ICAP errors will result in an error page + returned to the HTTP client. + + Bypass is off by default: services are treated as essential. + + routing=on|off|1|0 + If set to 'on' or '1', the ICAP service is allowed to + dynamically change the current message adaptation plan by + returning a chain of services to be used next. The services + are specified using the X-Next-Services ICAP response header + value, formatted as a comma-separated list of service names. + Each named service should be configured in squid.conf and + should have the same method and vectoring point as the current + ICAP transaction. Services violating these rules are ignored. + An empty X-Next-Services value results in an empty plan which + ends the current adaptation. + + Routing is not allowed by default: the ICAP X-Next-Services + response header is ignored. + + Older icap_service format without optional named parameters is + deprecated but supported for backward compatibility. + +Example: +icap_service svcBlocker reqmod_precache bypass=0 icap://icap1.mydomain.net:1344/reqmod +icap_service svcLogger reqmod_precache routing=on icap://icap2.mydomain.net:1344/respmod +DOC_END + +NAME: icap_class +TYPE: icap_class_type +IFDEF: ICAP_CLIENT +LOC: none +DEFAULT: none +DOC_START + This deprecated option was documented to define an ICAP service + chain, even though it actually defined a set of similar, redundant + services, and the chains were not supported. + + To define a set of redundant services, please use the + adaptation_service_set directive. For service chains, use + adaptation_service_chain. +DOC_END + +NAME: icap_access +TYPE: icap_access_type +IFDEF: ICAP_CLIENT +LOC: none +DEFAULT: none +DOC_START + This option is deprecated. Please use adaptation_access, which + has the same ICAP functionality, but comes with better + documentation, and eCAP support. +DOC_END + +COMMENT_START + eCAP OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: ecap_enable +TYPE: onoff +IFDEF: USE_ECAP +COMMENT: on|off +LOC: Adaptation::Ecap::TheConfig.onoff +DEFAULT: off +DOC_START + Controls whether eCAP support is enabled. +DOC_END + +NAME: ecap_service +TYPE: ecap_service_type +IFDEF: USE_ECAP +LOC: Adaptation::Ecap::TheConfig +DEFAULT: none +DOC_START + Defines a single eCAP service + + ecap_service servicename vectoring_point bypass service_url + + vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache + This specifies at which point of transaction processing the + eCAP service should be activated. *_postcache vectoring points + are not yet supported. + bypass = 1|0 + If set to 1, the eCAP service is treated as optional. If the + service cannot be reached or malfunctions, Squid will try to + ignore any errors and process the message as if the service + was not enabled. No all eCAP errors can be bypassed. + If set to 0, the eCAP service is treated as essential and all + eCAP errors will result in an error page returned to the + HTTP client. + service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional + +Example: +ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block +ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg +DOC_END + +NAME: loadable_modules +TYPE: wordlist +IFDEF: USE_LOADABLE_MODULES +LOC: Config.loadable_module_names +DEFAULT: none +DOC_START + Instructs Squid to load the specified dynamic module(s) or activate + preloaded module(s). +Example: +loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so +DOC_END + +COMMENT_START + MESSAGE ADAPTATION OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: adaptation_service_set +TYPE: adaptation_service_set_type +IFDEF: USE_ADAPTATION +LOC: none +DEFAULT: none +DOC_START + + Configures an ordered set of similar, redundant services. This is + useful when hot standby or backup adaptation servers are available. + + adaptation_service_set set_name service_name1 service_name2 ... + + The named services are used in the set declaration order. The first + applicable adaptation service from the set is used first. The next + applicable service is tried if and only if the transaction with the + previous service fails and the message waiting to be adapted is still + intact. + + When adaptation starts, broken services are ignored as if they were + not a part of the set. A broken service is a down optional service. + + The services in a set must be attached to the same vectoring point + (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). + + If all services in a set are optional then adaptation failures are + bypassable. If all services in the set are essential, then a + transaction failure with one service may still be retried using + another service from the set, but when all services fail, the master + transaction fails as well. + + A set may contain a mix of optional and essential services, but that + is likely to lead to surprising results because broken services become + ignored (see above), making previously bypassable failures fatal. + Technically, it is the bypassability of the last failed service that + matters. + + See also: adaptation_access adaptation_service_chain + +Example: +adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup +adaptation service_set svcLogger loggerLocal loggerRemote +DOC_END + +NAME: adaptation_service_chain +TYPE: adaptation_service_chain_type +IFDEF: USE_ADAPTATION +LOC: none +DEFAULT: none +DOC_START + + Configures a list of complementary services that will be applied + one-by-one, forming an adaptation chain or pipeline. This is useful + when Squid must perform different adaptations on the same message. + + adaptation_service_chain chain_name service_name1 svc_name2 ... + + The named services are used in the chain declaration order. The first + applicable adaptation service from the chain is used first. The next + applicable service is applied to the successful adaptation results of + the previous service in the chain. + + When adaptation starts, broken services are ignored as if they were + not a part of the chain. A broken service is a down optional service. + + Request satisfaction terminates the adaptation chain because Squid + does not currently allow declaration of RESPMOD services at the + "reqmod_precache" vectoring point (see icap_service or ecap_service). + + The services in a chain must be attached to the same vectoring point + (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD). + + A chain may contain a mix of optional and essential services. If an + essential adaptation fails (or the failure cannot be bypassed for + other reasons), the master transaction fails. Otherwise, the failure + is bypassed as if the failed adaptation service was not in the chain. + + See also: adaptation_access adaptation_service_set + +Example: +adaptation_service_chain svcRequest requestLogger urlFilter leakDetector +DOC_END + +NAME: adaptation_access +TYPE: adaptation_access_type +IFDEF: USE_ADAPTATION +LOC: none +DEFAULT: none +DOC_START + Sends an HTTP transaction to an ICAP or eCAP adaptation service. + + adaptation_access service_name allow|deny [!]aclname... + adaptation_access set_name allow|deny [!]aclname... + + At each supported vectoring point, the adaptation_access + statements are processed in the order they appear in this + configuration file. Statements pointing to the following services + are ignored (i.e., skipped without checking their ACL): + + - services serving different vectoring points + - "broken-but-bypassable" services + - "up" services configured to ignore such transactions + (e.g., based on the ICAP Transfer-Ignore header). + + When a set_name is used, all services in the set are checked + using the same rules, to find the first applicable one. See + adaptation_service_set for details. + + If an access list is checked and there is a match, the + processing stops: For an "allow" rule, the corresponding + adaptation service is used for the transaction. For a "deny" + rule, no adaptation service is activated. + + It is currently not possible to apply more than one adaptation + service at the same vectoring point to the same HTTP transaction. + + See also: icap_service and ecap_service + +Example: +adaptation_access service_1 allow all +DOC_END + +NAME: adaptation_service_iteration_limit +TYPE: int +IFDEF: USE_ADAPTATION +LOC: Adaptation::Config::service_iteration_limit +DEFAULT: 16 +DOC_START + Limits the number of iterations allowed when applying adaptation + services to a message. If your longest adaptation set or chain + may have more than 16 services, increase the limit beyond its + default value of 16. If detecting infinite iteration loops sooner + is critical, make the iteration limit match the actual number + of services in your longest adaptation set or chain. + + Infinite adaptation loops are most likely with routing services. + + See also: icap_service routing=1 +DOC_END + +NAME: adaptation_masterx_shared_names +TYPE: string +IFDEF: USE_ADAPTATION +LOC: Adaptation::Config::masterx_shared_name +DEFAULT: none +DOC_START + For each master transaction (i.e., the HTTP request and response + sequence, including all related ICAP and eCAP exchanges), Squid + maintains a table of metadata. The table entries are (name, value) + pairs shared among eCAP and ICAP exchanges. The table is destroyed + with the master transaction. + + This option specifies the table entry names that Squid must accept + from and forward to the adaptation transactions. + + An ICAP REQMOD or RESPMOD transaction may set an entry in the + shared table by returning an ICAP header field with a name + specified in adaptation_masterx_shared_names. Squid will store + and forward that ICAP header field to subsequent ICAP + transactions within the same master transaction scope. + + Only one shared entry name is supported at this time. + +Example: +# share authentication information among ICAP services +adaptation_masterx_shared_names X-Subscriber-ID +DOC_END + +NAME: icap_retry +TYPE: acl_access +IFDEF: ICAP_CLIENT +LOC: Adaptation::Icap::TheConfig.repeat +DEFAULT: none +DEFAULT_IF_NONE: deny all +DOC_START + This ACL determines which retriable ICAP transactions are + retried. Transactions that received a complete ICAP response + and did not have to consume or produce HTTP bodies to receive + that response are usually retriable. + + icap_retry allow|deny [!]aclname ... + + Squid automatically retries some ICAP I/O timeouts and errors + due to persistent connection race conditions. + + See also: icap_retry_limit +DOC_END + +NAME: icap_retry_limit +TYPE: int +IFDEF: ICAP_CLIENT +LOC: Adaptation::Icap::TheConfig.repeat_limit +DEFAULT: 0 +DOC_START + Limits the number of retries allowed. When set to zero (default), + no retries are allowed. + + Communication errors due to persistent connection race + conditions are unavoidable, automatically retried, and do not + count against this limit. + + See also: icap_retry +DOC_END + + +COMMENT_START + DNS OPTIONS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: check_hostnames +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.check_hostnames +DOC_START + For security and stability reasons Squid can check + hostnames for Internet standard RFC compliance. If you want + Squid to perform these checks turn this directive on. +DOC_END + +NAME: allow_underscore +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.allow_underscore +DOC_START + Underscore characters is not strictly allowed in Internet hostnames + but nevertheless used by many sites. Set this to off if you want + Squid to be strict about the standard. + This check is performed only when check_hostnames is set to on. +DOC_END + +NAME: cache_dns_program +TYPE: string +IFDEF: USE_DNSSERVERS +DEFAULT: @DEFAULT_DNSSERVER@ +LOC: Config.Program.dnsserver +DOC_START + Specify the location of the executable for dnslookup process. +DOC_END + +NAME: dns_children +TYPE: HelperChildConfig +IFDEF: USE_DNSSERVERS +DEFAULT: 32 startup=1 idle=1 +LOC: Config.dnsChildren +DOC_START + The maximum number of processes spawn to service DNS name lookups. + If you limit it too few Squid will have to wait for them to process + a backlog of requests, slowing it down. If you allow too many they + will use RAM and other system resources noticably. + The maximum this may be safely set to is 32. + + The startup= and idle= options allow some measure of skew in your + tuning. + + startup= + + Sets a minimum of how many processes are to be spawned when Squid + starts or reconfigures. When set to zero the first request will + cause spawning of the first child process to handle it. + + Starting too few will cause an initial slowdown in traffic as Squid + attempts to simultaneously spawn enough processes to cope. + + idle= + + Sets a minimum of how many processes Squid is to try and keep available + at all times. When traffic begins to rise above what the existing + processes can handle this many more will be spawned up to the maximum + configured. A minimum setting of 1 is required. +DOC_END + +NAME: dns_retransmit_interval +TYPE: time_t +DEFAULT: 5 seconds +LOC: Config.Timeout.idns_retransmit +IFDEF: !USE_DNSSERVERS +DOC_START + Initial retransmit interval for DNS queries. The interval is + doubled each time all configured DNS servers have been tried. +DOC_END + +NAME: dns_timeout +TYPE: time_t +DEFAULT: 2 minutes +LOC: Config.Timeout.idns_query +IFDEF: !USE_DNSSERVERS +DOC_START + DNS Query timeout. If no response is received to a DNS query + within this time all DNS servers for the queried domain + are assumed to be unavailable. +DOC_END + +NAME: dns_defnames +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.res_defnames +DOC_START + Normally the RES_DEFNAMES resolver option is disabled + (see res_init(3)). This prevents caches in a hierarchy + from interpreting single-component hostnames locally. To allow + Squid to handle single-component names, enable this option. +DOC_END + +NAME: dns_nameservers +TYPE: wordlist +DEFAULT: none +LOC: Config.dns_nameservers +DOC_START + Use this if you want to specify a list of DNS name servers + (IP addresses) to use instead of those given in your + /etc/resolv.conf file. + On Windows platforms, if no value is specified here or in + the /etc/resolv.conf file, the list of DNS name servers are + taken from the Windows registry, both static and dynamic DHCP + configurations are supported. + + Example: dns_nameservers 10.0.0.1 192.172.0.4 +DOC_END + +NAME: hosts_file +TYPE: string +DEFAULT: @DEFAULT_HOSTS@ +LOC: Config.etcHostsPath +DOC_START + Location of the host-local IP name-address associations + database. Most Operating Systems have such a file on different + default locations: + - Un*X & Linux: /etc/hosts + - Windows NT/2000: %SystemRoot%\system32\drivers\etc\hosts + (%SystemRoot% value install default is c:\winnt) + - Windows XP/2003: %SystemRoot%\system32\drivers\etc\hosts + (%SystemRoot% value install default is c:\windows) + - Windows 9x/Me: %windir%\hosts + (%windir% value is usually c:\windows) + - Cygwin: /etc/hosts + + The file contains newline-separated definitions, in the + form ip_address_in_dotted_form name [name ...] names are + whitespace-separated. Lines beginning with an hash (#) + character are comments. + + The file is checked at startup and upon configuration. + If set to 'none', it won't be checked. + If append_domain is used, that domain will be added to + domain-local (i.e. not containing any dot character) host + definitions. +DOC_END + +NAME: append_domain +TYPE: string +LOC: Config.appendDomain +DEFAULT: none +DOC_START + Appends local domain name to hostnames without any dots in + them. append_domain must begin with a period. + + Be warned there are now Internet names with no dots in + them using only top-domain names, so setting this may + cause some Internet sites to become unavailable. + +Example: + append_domain .yourdomain.com +DOC_END + +NAME: ignore_unknown_nameservers +TYPE: onoff +LOC: Config.onoff.ignore_unknown_nameservers +DEFAULT: on +DOC_START + By default Squid checks that DNS responses are received + from the same IP addresses they are sent to. If they + don't match, Squid ignores the response and writes a warning + message to cache.log. You can allow responses from unknown + nameservers by setting this option to 'off'. +DOC_END + +NAME: dns_v4_fallback +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.dns_require_A +DOC_START + Standard practice with DNS is to lookup either A or AAAA records + and use the results if it succeeds. Only looking up the other if + the first attempt fails or otherwise produces no results. + + That policy however will cause squid to produce error pages for some + servers that advertise AAAA but are unreachable over IPv6. + + If this is ON squid will always lookup both AAAA and A, using both. + If this is OFF squid will lookup AAAA and only try A if none found. + + WARNING: There are some possibly unwanted side-effects with this on: + *) Doubles the load placed by squid on the DNS network. + *) May negatively impact connection delay times. +DOC_END + +NAME: ipcache_size +COMMENT: (number of entries) +TYPE: int +DEFAULT: 1024 +LOC: Config.ipcache.size +DOC_NONE + +NAME: ipcache_low +COMMENT: (percent) +TYPE: int +DEFAULT: 90 +LOC: Config.ipcache.low +DOC_NONE + +NAME: ipcache_high +COMMENT: (percent) +TYPE: int +DEFAULT: 95 +LOC: Config.ipcache.high +DOC_START + The size, low-, and high-water marks for the IP cache. +DOC_END + +NAME: fqdncache_size +COMMENT: (number of entries) +TYPE: int +DEFAULT: 1024 +LOC: Config.fqdncache.size +DOC_START + Maximum number of FQDN cache entries. +DOC_END + +COMMENT_START + MISCELLANEOUS + ----------------------------------------------------------------------------- +COMMENT_END + +NAME: memory_pools +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.mem_pools +DOC_START + If set, Squid will keep pools of allocated (but unused) memory + available for future use. If memory is a premium on your + system and you believe your malloc library outperforms Squid + routines, disable this. +DOC_END + +NAME: memory_pools_limit +COMMENT: (bytes) +TYPE: b_size_t +DEFAULT: 5 MB +LOC: Config.MemPools.limit +DOC_START + Used only with memory_pools on: + memory_pools_limit 50 MB + + If set to a non-zero value, Squid will keep at most the specified + limit of allocated (but unused) memory in memory pools. All free() + requests that exceed this limit will be handled by your malloc + library. Squid does not pre-allocate any memory, just safe-keeps + objects that otherwise would be free()d. Thus, it is safe to set + memory_pools_limit to a reasonably high value even if your + configuration will use less memory. + + If set to zero, Squid will keep all memory it can. That is, there + will be no limit on the total amount of memory used for safe-keeping. + + To disable memory allocation optimization, do not set + memory_pools_limit to 0. Set memory_pools to "off" instead. + + An overhead for maintaining memory pools is not taken into account + when the limit is checked. This overhead is close to four bytes per + object kept. However, pools may actually _save_ memory because of + reduced memory thrashing in your malloc library. +DOC_END + +NAME: forwarded_for +COMMENT: on|off|transparent|truncate|delete +TYPE: string +DEFAULT: on +LOC: opt_forwarded_for +DOC_START + If set to "on", Squid will append your client's IP address + in the HTTP requests it forwards. By default it looks like: + + X-Forwarded-For: 192.1.2.3 + + If set to "off", it will appear as + + X-Forwarded-For: unknown + + If set to "transparent", Squid will not alter the + X-Forwarded-For header in any way. + + If set to "delete", Squid will delete the entire + X-Forwarded-For header. + + If set to "truncate", Squid will remove all existing + X-Forwarded-For entries, and place itself as the sole entry. +DOC_END + +NAME: cachemgr_passwd +TYPE: cachemgrpasswd +DEFAULT: none +LOC: Config.passwd_list +DOC_START + Specify passwords for cachemgr operations. + + Usage: cachemgr_passwd password action action ... + + Some valid actions are (see cache manager menu for a full list): + 5min + 60min + asndb + authenticator + cbdata + client_list + comm_incoming + config * + counters + delay + digest_stats + dns + events + filedescriptors + fqdncache + histograms + http_headers + info + io + ipcache + mem + menu + netdb + non_peers + objects + offline_toggle * + pconn + peer_select + reconfigure * + redirector + refresh + server_list + shutdown * + store_digest + storedir + utilization + via_headers + vm_objects + + * Indicates actions which will not be performed without a + valid password, others can be performed if not listed here. + + To disable an action, set the password to "disable". + To allow performing an action without a password, set the + password to "none". + + Use the keyword "all" to set the same password for all actions. + +Example: + cachemgr_passwd secret shutdown + cachemgr_passwd lesssssssecret info stats/objects + cachemgr_passwd disable all +DOC_END + +NAME: client_db +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.client_db +DOC_START + If you want to disable collecting per-client statistics, + turn off client_db here. +DOC_END + +NAME: refresh_all_ims +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.refresh_all_ims +DOC_START + When you enable this option, squid will always check + the origin server for an update when a client sends an + If-Modified-Since request. Many browsers use IMS + requests when the user requests a reload, and this + ensures those clients receive the latest version. + + By default (off), squid may return a Not Modified response + based on the age of the cached version. +DOC_END + +NAME: reload_into_ims +IFDEF: HTTP_VIOLATIONS +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.reload_into_ims +DOC_START + When you enable this option, client no-cache or ``reload'' + requests will be changed to If-Modified-Since requests. + Doing this VIOLATES the HTTP standard. Enabling this + feature could make you liable for problems which it + causes. + + see also refresh_pattern for a more selective approach. +DOC_END + +NAME: maximum_single_addr_tries +TYPE: int +LOC: Config.retry.maxtries +DEFAULT: 1 +DOC_START + This sets the maximum number of connection attempts for a + host that only has one address (for multiple-address hosts, + each address is tried once). + + The default value is one attempt, the (not recommended) + maximum is 255 tries. A warning message will be generated + if it is set to a value greater than ten. + + Note: This is in addition to the request re-forwarding which + takes place if Squid fails to get a satisfying response. +DOC_END + +NAME: retry_on_error +TYPE: onoff +LOC: Config.retry.onerror +DEFAULT: off +DOC_START + If set to on Squid will automatically retry requests when + receiving an error response. This is mainly useful if you + are in a complex cache hierarchy to work around access + control errors. +DOC_END + +NAME: as_whois_server +TYPE: string +LOC: Config.as_whois_server +DEFAULT: whois.ra.net +DEFAULT_IF_NONE: whois.ra.net +DOC_START + WHOIS server to query for AS numbers. NOTE: AS numbers are + queried only when Squid starts up, not for every request. +DOC_END + +NAME: offline_mode +TYPE: onoff +LOC: Config.onoff.offline +DEFAULT: off +DOC_START + Enable this option and Squid will never try to validate cached + objects. +DOC_END + +NAME: uri_whitespace +TYPE: uri_whitespace +LOC: Config.uri_whitespace +DEFAULT: strip +DOC_START + What to do with requests that have whitespace characters in the + URI. Options: + + strip: The whitespace characters are stripped out of the URL. + This is the behavior recommended by RFC2396. + deny: The request is denied. The user receives an "Invalid + Request" message. + allow: The request is allowed and the URI is not changed. The + whitespace characters remain in the URI. Note the + whitespace is passed to redirector processes if they + are in use. + encode: The request is allowed and the whitespace characters are + encoded according to RFC1738. This could be considered + a violation of the HTTP/1.1 + RFC because proxies are not allowed to rewrite URI's. + chop: The request is allowed and the URI is chopped at the + first whitespace. This might also be considered a + violation. +DOC_END + +NAME: chroot +TYPE: string +LOC: Config.chroot_dir +DEFAULT: none +DOC_START + Specifies a directory where Squid should do a chroot() while + initializing. This also causes Squid to fully drop root + privileges after initializing. This means, for example, if you + use a HTTP port less than 1024 and try to reconfigure, you may + get an error saying that Squid can not open the port. +DOC_END + +NAME: balance_on_multiple_ip +TYPE: onoff +LOC: Config.onoff.balance_on_multiple_ip +DEFAULT: off +DOC_START + Modern IP resolvers in squid sort lookup results by preferred access. + By default squid will use these IP in order and only rotates to + the next listed when the most preffered fails. + + Some load balancing servers based on round robin DNS have been + found not to preserve user session state across requests + to different IP addresses. + + Enabling this directive Squid rotates IP's per request. +DOC_END + +NAME: pipeline_prefetch +TYPE: onoff +LOC: Config.onoff.pipeline_prefetch +DEFAULT: off +DOC_START + To boost the performance of pipelined requests to closer + match that of a non-proxied environment Squid can try to fetch + up to two requests in parallel from a pipeline. + + Defaults to off for bandwidth management and access logging + reasons. +DOC_END + +NAME: high_response_time_warning +TYPE: int +COMMENT: (msec) +LOC: Config.warnings.high_rptm +DEFAULT: 0 +DOC_START + If the one-minute median response time exceeds this value, + Squid prints a WARNING with debug level 0 to get the + administrators attention. The value is in milliseconds. +DOC_END + +NAME: high_page_fault_warning +TYPE: int +LOC: Config.warnings.high_pf +DEFAULT: 0 +DOC_START + If the one-minute average page fault rate exceeds this + value, Squid prints a WARNING with debug level 0 to get + the administrators attention. The value is in page faults + per second. +DOC_END + +NAME: high_memory_warning +TYPE: b_size_t +LOC: Config.warnings.high_memory +DEFAULT: 0 KB +DOC_START + If the memory usage (as determined by mallinfo) exceeds + this amount, Squid prints a WARNING with debug level 0 to get + the administrators attention. +DOC_END + +NAME: sleep_after_fork +COMMENT: (microseconds) +TYPE: int +LOC: Config.sleep_after_fork +DEFAULT: 0 +DOC_START + When this is set to a non-zero value, the main Squid process + sleeps the specified number of microseconds after a fork() + system call. This sleep may help the situation where your + system reports fork() failures due to lack of (virtual) + memory. Note, however, if you have a lot of child + processes, these sleep delays will add up and your + Squid will not service requests for some amount of time + until all the child processes have been started. + On Windows value less then 1000 (1 milliseconds) are + rounded to 1000. +DOC_END + +NAME: windows_ipaddrchangemonitor +IFDEF: _SQUID_MSWIN_ +COMMENT: on|off +TYPE: onoff +DEFAULT: on +LOC: Config.onoff.WIN32_IpAddrChangeMonitor +DOC_START + On Windows Squid by default will monitor IP address changes and will + reconfigure itself after any detected event. This is very useful for + proxies connected to internet with dial-up interfaces. + In some cases (a Proxy server acting as VPN gateway is one) it could be + desiderable to disable this behaviour setting this to 'off'. + Note: after changing this, Squid service must be restarted. +DOC_END + +NAME: eui_lookup +TYPE: onoff +IFDEF: USE_SQUID_EUI +DEFAULT: on +LOC: Eui::TheConfig.euiLookup +DOC_START + Whether to lookup the EUI or MAC address of a connected client. +DOC_END + +NAME: access_sibling_for_stale_resource +COMMENT: on|off +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.access_sibling_for_stale_resource +DOC_START + By default, Squid will not contact siblings for cached but + expired (stale) resources. If this directive is set to on, + that behavior will change unless sibling has allow-miss option set. +DOC_END + +EOF === modified file 'src/neighbors.cc' --- src/neighbors.cc 2010-05-02 19:32:42 +0000 +++ src/neighbors.cc 2010-05-18 20:24:54 +0000 @@ -1,1849 +1,1855 @@ -/* - * DEBUG: section 15 Neighbor Routines - * AUTHOR: Harvest Derived - * - * SQUID Web Proxy Cache http://www.squid-cache.org/ - * ---------------------------------------------------------- - * - * Squid is the result of efforts by numerous individuals from - * the Internet community; see the CONTRIBUTORS file for full - * details. Many organizations have provided support for Squid's - * development; see the SPONSORS file for full details. Squid is - * Copyrighted (C) 2001 by the Regents of the University of - * California; see the COPYRIGHT file for full details. Squid - * incorporates software developed and/or copyrighted by other - * sources; see the CREDITS file for full details. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - * - */ - -#include "squid.h" -#include "ProtoPort.h" -#include "acl/FilledChecklist.h" -#include "event.h" -#include "CacheManager.h" -#include "htcp.h" -#include "HttpRequest.h" -#include "ICP.h" -#include "MemObject.h" -#include "PeerDigest.h" -#include "PeerSelectState.h" -#include "SquidMath.h" -#include "SquidTime.h" -#include "Store.h" -#include "icmp/net_db.h" -#include "ip/Address.h" - -/* count mcast group peers every 15 minutes */ -#define MCAST_COUNT_RATE 900 - -int peerAllowedToUse(const peer *, HttpRequest *); -static int peerWouldBePinged(const peer *, HttpRequest *); -static void neighborRemove(peer *); -static void neighborAlive(peer *, const MemObject *, const icp_common_t *); -#if USE_HTCP -static void neighborAliveHtcp(peer *, const MemObject *, const htcpReplyData *); -#endif -static void neighborCountIgnored(peer *); -static void peerRefreshDNS(void *); -static IPH peerDNSConfigure; -static int peerProbeConnect(peer *); -static CNCB peerProbeConnectDone; -static void peerCountMcastPeersDone(void *data); -static void peerCountMcastPeersStart(void *data); -static void peerCountMcastPeersSchedule(peer * p, time_t when); -static IRCB peerCountHandleIcpReply; - -static void neighborIgnoreNonPeer(const Ip::Address &, icp_opcode); -static OBJH neighborDumpPeers; -static OBJH neighborDumpNonPeers; -static void dump_peers(StoreEntry * sentry, peer * peers); - -static icp_common_t echo_hdr; -static u_short echo_port; - -static int NLateReplies = 0; -static peer *first_ping = NULL; - -const char * -neighborTypeStr(const peer * p) -{ - if (p->type == PEER_NONE) - return "Non-Peer"; - - if (p->type == PEER_SIBLING) - return "Sibling"; - - if (p->type == PEER_MULTICAST) - return "Multicast Group"; - - return "Parent"; -} - - -peer * -whichPeer(const Ip::Address &from) -{ - int j; - - peer *p = NULL; - debugs(15, 3, "whichPeer: from " << from); - - for (p = Config.peers; p; p = p->next) { - for (j = 0; j < p->n_addresses; j++) { - if (from == p->addresses[j] && from.GetPort() == p->icp.port) { - return p; - } - } - } - - return NULL; -} - -peer_t -neighborType(const peer * p, const HttpRequest * request) -{ - - const struct _domain_type *d = NULL; - - for (d = p->typelist; d; d = d->next) { - if (0 == matchDomainName(request->GetHost(), d->domain)) - if (d->type != PEER_NONE) - return d->type; - } -#if PEER_MULTICAST_SIBLINGS - if (p->type == PEER_MULTICAST) - if (p->options.mcast_siblings) - return PEER_SIBLING; -#endif - - return p->type; -} - -/* - * peerAllowedToUse - * - * this function figures out if it is appropriate to fetch REQUEST - * from PEER. - */ -int -peerAllowedToUse(const peer * p, HttpRequest * request) -{ - - const struct _domain_ping *d = NULL; - int do_ping = 1; - assert(request != NULL); - - if (neighborType(p, request) == PEER_SIBLING) { -#if PEER_MULTICAST_SIBLINGS - if (p->type == PEER_MULTICAST && p->options.mcast_siblings && - (request->flags.nocache || request->flags.refresh || request->flags.loopdetect || request->flags.need_validation)) - debugs(15, 2, "peerAllowedToUse(" << p->name << ", " << request->GetHost() << ") : multicast-siblings optimization match"); -#endif - if (request->flags.nocache) - return 0; - - if (request->flags.refresh) - return 0; - - if (request->flags.loopdetect) - return 0; - - if (request->flags.need_validation) - return 0; - } - - if (p->peer_domain == NULL && p->access == NULL) - return do_ping; - - do_ping = 0; - - for (d = p->peer_domain; d; d = d->next) { - if (0 == matchDomainName(request->GetHost(), d->domain)) { - do_ping = d->do_ping; - break; - } - - do_ping = !d->do_ping; - } - - if (p->peer_domain && 0 == do_ping) - return do_ping; - - if (p->access == NULL) - return do_ping; - - ACLFilledChecklist checklist(p->access, request, NULL); - checklist.src_addr = request->client_addr; - checklist.my_addr = request->my_addr; - -#if 0 && USE_IDENT - /* - * this is currently broken because 'request->user_ident' has been - * moved to conn->rfc931 and we don't have access to the parent - * ConnStateData here. - */ - if (request->user_ident[0]) - xstrncpy(checklist.rfc931, request->user_ident, USER_IDENT_SZ); - -#endif - - return checklist.fastCheck(); -} - -/* Return TRUE if it is okay to send an ICP request to this peer. */ -static int -peerWouldBePinged(const peer * p, HttpRequest * request) -{ - if (!peerAllowedToUse(p, request)) - return 0; - - if (p->options.no_query) - return 0; - - if (p->options.background_ping && (squid_curtime - p->stats.last_query < Config.backgroundPingRate)) - return 0; - - if (p->options.mcast_responder) - return 0; - - if (p->n_addresses == 0) - return 0; - - if (p->icp.port == 0) - return 0; - - /* the case below seems strange, but can happen if the - * URL host is on the other side of a firewall */ - if (p->type == PEER_SIBLING) - if (!request->flags.hierarchical) - return 0; - - /* Ping dead peers every timeout interval */ - if (squid_curtime - p->stats.last_query > Config.Timeout.deadPeer) - return 1; - - if (!neighborUp(p)) - return 0; - - return 1; -} - -/* Return TRUE if it is okay to send an HTTP request to this peer. */ -int -peerHTTPOkay(const peer * p, HttpRequest * request) -{ - if (!peerAllowedToUse(p, request)) - return 0; - - if (!neighborUp(p)) - return 0; - - if (p->max_conn) - if (p->stats.conn_open >= p->max_conn) - return 0; - - return 1; -} - -int -neighborsCount(HttpRequest * request) -{ - peer *p = NULL; - int count = 0; - - for (p = Config.peers; p; p = p->next) - if (peerWouldBePinged(p, request)) - count++; - - debugs(15, 3, "neighborsCount: " << count); - - return count; -} - -peer * -getFirstUpParent(HttpRequest * request) -{ - peer *p = NULL; - - for (p = Config.peers; p; p = p->next) { - if (!neighborUp(p)) - continue; - - if (neighborType(p, request) != PEER_PARENT) - continue; - - if (!peerHTTPOkay(p, request)) - continue; - - break; - } - - debugs(15, 3, "getFirstUpParent: returning " << (p ? p->host : "NULL")); - return p; -} - -peer * -getRoundRobinParent(HttpRequest * request) -{ - peer *p; - peer *q = NULL; - - for (p = Config.peers; p; p = p->next) { - if (!p->options.roundrobin) - continue; - - if (neighborType(p, request) != PEER_PARENT) - continue; - - if (!peerHTTPOkay(p, request)) - continue; - - if (p->weight == 0) - continue; - - if (q) { - if (p->weight == q->weight) { - if (q->rr_count < p->rr_count) - continue; - } else if ( (double) q->rr_count / q->weight < (double) p->rr_count / p->weight) { - continue; - } - } - - q = p; - } - - if (q) - q->rr_count++; - - debugs(15, 3, HERE << "returning " << (q ? q->host : "NULL")); - - return q; -} - -peer * -getWeightedRoundRobinParent(HttpRequest * request) -{ - peer *p; - peer *q = NULL; - int weighted_rtt; - - for (p = Config.peers; p; p = p->next) { - if (!p->options.weighted_roundrobin) - continue; - - if (neighborType(p, request) != PEER_PARENT) - continue; - - if (!peerHTTPOkay(p, request)) - continue; - - if (q && q->rr_count < p->rr_count) - continue; - - q = p; - } - - if (q && q->rr_count > 1000000) - for (p = Config.peers; p; p = p->next) { - if (!p->options.weighted_roundrobin) - continue; - - if (neighborType(p, request) != PEER_PARENT) - continue; - - p->rr_count = 0; - } - - if (q) { - weighted_rtt = (q->stats.rtt - q->basetime) / q->weight; - - if (weighted_rtt < 1) - weighted_rtt = 1; - - q->rr_count += weighted_rtt; - - debugs(15, 3, "getWeightedRoundRobinParent: weighted_rtt " << weighted_rtt); - } - - debugs(15, 3, "getWeightedRoundRobinParent: returning " << (q ? q->host : "NULL")); - return q; -} - -/** - * This gets called every 5 minutes to clear the round-robin counter. - * The exact timing is an arbitrary default, set on estimate timing of a - * large number of requests in a high-performance environment during the - * period. The larger the number of requests between cycled resets the - * more balanced the operations. - * - \param data unused. - \todo Make the reset timing a selectable parameter in squid.conf - */ -static void -peerClearRRLoop(void *data) -{ - peerClearRR(); - eventAdd("peerClearRR", peerClearRRLoop, data, 5 * 60.0, 0); -} - -/** - * This gets called on startup and restart to kick off the peer round-robin - * maintenance event. It ensures that no matter how many times its called - * no more than one event is scheduled. - */ -void -peerClearRRStart(void) -{ - static int event_added = 0; - if (!event_added) { - peerClearRRLoop(NULL); - } -} - -/** - * Called whenever the round-robin counters need to be reset to a sane state. - * So far those times are: - * - On startup and reconfigure - to set the counters to sane initial settings. - * - When a peer has revived from dead, to prevent the revived peer being - * flooded with requests which it has 'missed' during the down period. - */ -void -peerClearRR() -{ - peer *p = NULL; - for (p = Config.peers; p; p = p->next) { - p->rr_count = 0; - } -} - -/** - * Perform all actions when a peer is detected revived. - */ -void -peerAlive(peer *p) -{ - if (p->stats.logged_state == PEER_DEAD && p->tcp_up) { - debugs(15, 1, "Detected REVIVED " << neighborTypeStr(p) << ": " << p->name); - p->stats.logged_state = PEER_ALIVE; - peerClearRR(); - } - - p->stats.last_reply = squid_curtime; - p->stats.probe_start = 0; -} - -peer * -getDefaultParent(HttpRequest * request) -{ - peer *p = NULL; - - for (p = Config.peers; p; p = p->next) { - if (neighborType(p, request) != PEER_PARENT) - continue; - - if (!p->options.default_parent) - continue; - - if (!peerHTTPOkay(p, request)) - continue; - - debugs(15, 3, "getDefaultParent: returning " << p->host); - - return p; - } - - debugs(15, 3, "getDefaultParent: returning NULL"); - return NULL; -} - -/* - * XXX DW thinks this function is equivalent to/redundant with - * getFirstUpParent(). peerHTTPOkay() only returns true if the - * peer is UP anyway, so this function would not return a - * DOWN parent. - */ -peer * -getAnyParent(HttpRequest * request) -{ - peer *p = NULL; - - for (p = Config.peers; p; p = p->next) { - if (neighborType(p, request) != PEER_PARENT) - continue; - - if (!peerHTTPOkay(p, request)) - continue; - - debugs(15, 3, "getAnyParent: returning " << p->host); - - return p; - } - - debugs(15, 3, "getAnyParent: returning NULL"); - return NULL; -} - -peer * -getNextPeer(peer * p) -{ - return p->next; -} - -peer * -getFirstPeer(void) -{ - return Config.peers; -} - -static void -neighborRemove(peer * target) -{ - peer *p = NULL; - peer **P = NULL; - p = Config.peers; - P = &Config.peers; - - while (p) { - if (target == p) - break; - - P = &p->next; - - p = p->next; - } - - if (p) { - *P = p->next; - cbdataFree(p); - Config.npeers--; - } - - first_ping = Config.peers; -} - -static void -neighborsRegisterWithCacheManager() -{ - CacheManager *manager = CacheManager::GetInstance(); - manager->registerAction("server_list", - "Peer Cache Statistics", - neighborDumpPeers, 0, 1); - - if (theInIcpConnection >= 0) { - manager->registerAction("non_peers", - "List of Unknown sites sending ICP messages", - neighborDumpNonPeers, 0, 1); - } -} - -void -neighbors_init(void) -{ - Ip::Address nul; - struct addrinfo *AI = NULL; - struct servent *sep = NULL; - const char *me = getMyHostname(); - peer *thisPeer = NULL; - peer *next = NULL; - int fd = theInIcpConnection; - - neighborsRegisterWithCacheManager(); - - /* setup addrinfo for use */ - nul.InitAddrInfo(AI); - - if (fd >= 0) { - - if (getsockname(fd, AI->ai_addr, &AI->ai_addrlen) < 0) - debugs(15, 1, "getsockname(" << fd << "," << AI->ai_addr << "," << &AI->ai_addrlen << ") failed."); - - for (thisPeer = Config.peers; thisPeer; thisPeer = next) { - http_port_list *s = NULL; - next = thisPeer->next; - - if (0 != strcmp(thisPeer->host, me)) - continue; - - for (s = Config.Sockaddr.http; s; s = s->next) { - if (thisPeer->http_port != s->s.GetPort()) - continue; - - debugs(15, 1, "WARNING: Peer looks like this host"); - - debugs(15, 1, " Ignoring " << - neighborTypeStr(thisPeer) << " " << thisPeer->host << - "/" << thisPeer->http_port << "/" << - thisPeer->icp.port); - - neighborRemove(thisPeer); - } - } - } - - peerRefreshDNS((void *) 1); - - if (ICP_INVALID == echo_hdr.opcode) { - echo_hdr.opcode = ICP_SECHO; - echo_hdr.version = ICP_VERSION_CURRENT; - echo_hdr.length = 0; - echo_hdr.reqnum = 0; - echo_hdr.flags = 0; - echo_hdr.pad = 0; - nul = *AI; - nul.GetInAddr( *((struct in_addr*)&echo_hdr.shostid) ); - sep = getservbyname("echo", "udp"); - echo_port = sep ? ntohs((u_short) sep->s_port) : 7; - } - - first_ping = Config.peers; - nul.FreeAddrInfo(AI); -} - -int -neighborsUdpPing(HttpRequest * request, - StoreEntry * entry, - IRCB * callback, - void *callback_data, - int *exprep, - int *timeout) -{ - const char *url = entry->url(); - MemObject *mem = entry->mem_obj; - peer *p = NULL; - int i; - int reqnum = 0; - int flags; - icp_common_t *query; - int queries_sent = 0; - int peers_pinged = 0; - int parent_timeout = 0, parent_exprep = 0; - int sibling_timeout = 0, sibling_exprep = 0; - int mcast_timeout = 0, mcast_exprep = 0; - - if (Config.peers == NULL) - return 0; - - assert(entry->swap_status == SWAPOUT_NONE); - - mem->start_ping = current_time; - - mem->ping_reply_callback = callback; - - mem->ircb_data = callback_data; - - reqnum = icpSetCacheKey((const cache_key *)entry->key); - - for (i = 0, p = first_ping; i++ < Config.npeers; p = p->next) { - if (p == NULL) - p = Config.peers; - - debugs(15, 5, "neighborsUdpPing: Peer " << p->host); - - if (!peerWouldBePinged(p, request)) - continue; /* next peer */ - - peers_pinged++; - - debugs(15, 4, "neighborsUdpPing: pinging peer " << p->host << " for '" << url << "'"); - - debugs(15, 3, "neighborsUdpPing: key = '" << entry->getMD5Text() << "'"); - - debugs(15, 3, "neighborsUdpPing: reqnum = " << reqnum); - -#if USE_HTCP - if (p->options.htcp && !p->options.htcp_only_clr) { - if (Config.Port.htcp <= 0) { - debugs(15, DBG_CRITICAL, "HTCP is disabled! Cannot send HTCP request to peer."); - continue; - } - - debugs(15, 3, "neighborsUdpPing: sending HTCP query"); - if (htcpQuery(entry, request, p) <= 0) continue; // unable to send. - } else -#endif - { - if (Config.Port.icp <= 0 || theOutIcpConnection <= 0) { - debugs(15, DBG_CRITICAL, "ICP is disabled! Cannot send ICP request to peer."); - continue; - } else { - - if (p->type == PEER_MULTICAST) - mcastSetTtl(theOutIcpConnection, p->mcast.ttl); - - if (p->icp.port == echo_port) { - debugs(15, 4, "neighborsUdpPing: Looks like a dumb cache, send DECHO ping"); - echo_hdr.reqnum = reqnum; - query = _icp_common_t::createMessage(ICP_DECHO, 0, url, reqnum, 0); - icpUdpSend(theOutIcpConnection,p->in_addr,query,LOG_ICP_QUERY,0); - } else { - flags = 0; - - if (Config.onoff.query_icmp) - if (p->icp.version == ICP_VERSION_2) - flags |= ICP_FLAG_SRC_RTT; - - query = _icp_common_t::createMessage(ICP_QUERY, flags, url, reqnum, 0); - - icpUdpSend(theOutIcpConnection, p->in_addr, query, LOG_ICP_QUERY, 0); - } - } - } - - queries_sent++; - - p->stats.pings_sent++; - - if (p->type == PEER_MULTICAST) { - mcast_exprep += p->mcast.n_replies_expected; - mcast_timeout += (p->stats.rtt * p->mcast.n_replies_expected); - } else if (neighborUp(p)) { - /* its alive, expect a reply from it */ - - if (neighborType(p, request) == PEER_PARENT) { - parent_exprep++; - parent_timeout += p->stats.rtt; - } else { - sibling_exprep++; - sibling_timeout += p->stats.rtt; - } - } else { - /* Neighbor is dead; ping it anyway, but don't expect a reply */ - /* log it once at the threshold */ - - if (p->stats.logged_state == PEER_ALIVE) { - debugs(15, 1, "Detected DEAD " << neighborTypeStr(p) << ": " << p->name); - p->stats.logged_state = PEER_DEAD; - } - } - - p->stats.last_query = squid_curtime; - - /* - * keep probe_start == 0 for a multicast peer, - * so neighborUp() never says this peer is dead. - */ - - if ((p->type != PEER_MULTICAST) && (p->stats.probe_start == 0)) - p->stats.probe_start = squid_curtime; - } - - if ((first_ping = first_ping->next) == NULL) - first_ping = Config.peers; - - /* - * How many replies to expect? - */ - *exprep = parent_exprep + sibling_exprep + mcast_exprep; - - /* - * If there is a configured timeout, use it - */ - if (Config.Timeout.icp_query) - *timeout = Config.Timeout.icp_query; - else { - if (*exprep > 0) { - if (parent_exprep) - *timeout = 2 * parent_timeout / parent_exprep; - else if (mcast_exprep) - *timeout = 2 * mcast_timeout / mcast_exprep; - else - *timeout = 2 * sibling_timeout / sibling_exprep; - } else - *timeout = 2000; /* 2 seconds */ - - if (Config.Timeout.icp_query_max) - if (*timeout > Config.Timeout.icp_query_max) - *timeout = Config.Timeout.icp_query_max; - - if (*timeout < Config.Timeout.icp_query_min) - *timeout = Config.Timeout.icp_query_min; - } - - return peers_pinged; -} - -/* lookup the digest of a given peer */ -lookup_t -peerDigestLookup(peer * p, HttpRequest * request) -{ -#if USE_CACHE_DIGESTS - const cache_key *key = request ? storeKeyPublicByRequest(request) : NULL; - assert(p); - assert(request); - debugs(15, 5, "peerDigestLookup: peer " << p->host); - /* does the peeer have a valid digest? */ - - if (!p->digest) { - debugs(15, 5, "peerDigestLookup: gone!"); - return LOOKUP_NONE; - } else if (!peerHTTPOkay(p, request)) { - debugs(15, 5, "peerDigestLookup: !peerHTTPOkay"); - return LOOKUP_NONE; - } else if (!p->digest->flags.needed) { - debugs(15, 5, "peerDigestLookup: note need"); - peerDigestNeeded(p->digest); - return LOOKUP_NONE; - } else if (!p->digest->flags.usable) { - debugs(15, 5, "peerDigestLookup: !ready && " << (p->digest->flags.requested ? "" : "!") << "requested"); - return LOOKUP_NONE; - } - - debugs(15, 5, "peerDigestLookup: OK to lookup peer " << p->host); - assert(p->digest->cd); - /* does digest predict a hit? */ - - if (!cacheDigestTest(p->digest->cd, key)) - return LOOKUP_MISS; - - debugs(15, 5, "peerDigestLookup: peer " << p->host << " says HIT!"); - - return LOOKUP_HIT; - -#endif - - return LOOKUP_NONE; -} - -/* select best peer based on cache digests */ -peer * -neighborsDigestSelect(HttpRequest * request) -{ - peer *best_p = NULL; -#if USE_CACHE_DIGESTS - - const cache_key *key; - int best_rtt = 0; - int choice_count = 0; - int ichoice_count = 0; - peer *p; - int p_rtt; - int i; - - if (!request->flags.hierarchical) - return NULL; - - key = storeKeyPublicByRequest(request); - - for (i = 0, p = first_ping; i++ < Config.npeers; p = p->next) { - lookup_t lookup; - - if (!p) - p = Config.peers; - - if (i == 1) - first_ping = p; - - lookup = peerDigestLookup(p, request); - - if (lookup == LOOKUP_NONE) - continue; - - choice_count++; - - if (lookup == LOOKUP_MISS) - continue; - - p_rtt = netdbHostRtt(p->host); - - debugs(15, 5, "neighborsDigestSelect: peer " << p->host << " rtt: " << p_rtt); - - /* is this peer better than others in terms of rtt ? */ - if (!best_p || (p_rtt && p_rtt < best_rtt)) { - best_p = p; - best_rtt = p_rtt; - - if (p_rtt) /* informative choice (aka educated guess) */ - ichoice_count++; - - debugs(15, 4, "neighborsDigestSelect: peer " << p->host << " leads with rtt " << best_rtt); - } - } - - debugs(15, 4, "neighborsDigestSelect: choices: " << choice_count << " (" << ichoice_count << ")"); - peerNoteDigestLookup(request, best_p, - best_p ? LOOKUP_HIT : (choice_count ? LOOKUP_MISS : LOOKUP_NONE)); - request->hier.n_choices = choice_count; - request->hier.n_ichoices = ichoice_count; -#endif - - return best_p; -} - -void -peerNoteDigestLookup(HttpRequest * request, peer * p, lookup_t lookup) -{ -#if USE_CACHE_DIGESTS - if (p) - strncpy(request->hier.cd_host, p->host, sizeof(request->hier.cd_host)); - else - *request->hier.cd_host = '\0'; - - request->hier.cd_lookup = lookup; - debugs(15, 4, "peerNoteDigestLookup: peer " << (p? p->host : "") << ", lookup: " << lookup_t_str[lookup] ); -#endif -} - -static void -neighborAlive(peer * p, const MemObject * mem, const icp_common_t * header) -{ - peerAlive(p); - p->stats.pings_acked++; - - if ((icp_opcode) header->opcode <= ICP_END) - p->icp.counts[header->opcode]++; - - p->icp.version = (int) header->version; -} - -static void -neighborUpdateRtt(peer * p, MemObject * mem) -{ - int rtt, rtt_av_factor; - - if (!mem) - return; - - if (!mem->start_ping.tv_sec) - return; - - rtt = tvSubMsec(mem->start_ping, current_time); - - if (rtt < 1 || rtt > 10000) - return; - - rtt_av_factor = RTT_AV_FACTOR; - - if (p->options.weighted_roundrobin) - rtt_av_factor = RTT_BACKGROUND_AV_FACTOR; - - p->stats.rtt = Math::intAverage(p->stats.rtt, rtt, p->stats.pings_acked, rtt_av_factor); -} - -#if USE_HTCP -static void -neighborAliveHtcp(peer * p, const MemObject * mem, const htcpReplyData * htcp) -{ - peerAlive(p); - p->stats.pings_acked++; - p->htcp.counts[htcp->hit ? 1 : 0]++; - p->htcp.version = htcp->version; -} - -#endif - -static void -neighborCountIgnored(peer * p) -{ - if (p == NULL) - return; - - p->stats.ignored_replies++; - - NLateReplies++; -} - -static peer *non_peers = NULL; - -static void -neighborIgnoreNonPeer(const Ip::Address &from, icp_opcode opcode) -{ - peer *np; - - for (np = non_peers; np; np = np->next) { - if (np->in_addr != from) - continue; - - if (np->in_addr.GetPort() != from.GetPort()) - continue; - - break; - } - - if (np == NULL) { - np = (peer *)xcalloc(1, sizeof(peer)); - np->in_addr = from; - np->icp.port = from.GetPort(); - np->type = PEER_NONE; - np->host = new char[MAX_IPSTRLEN]; - from.NtoA(np->host,MAX_IPSTRLEN); - np->next = non_peers; - non_peers = np; - } - - np->icp.counts[opcode]++; - - if (isPowTen(++np->stats.ignored_replies)) - debugs(15, 1, "WARNING: Ignored " << np->stats.ignored_replies << " replies from non-peer " << np->host); -} - -/* ignoreMulticastReply - * - * * We want to ignore replies from multicast peers if the - * * cache_host_domain rules would normally prevent the peer - * * from being used - */ -static int -ignoreMulticastReply(peer * p, MemObject * mem) -{ - if (p == NULL) - return 0; - - if (!p->options.mcast_responder) - return 0; - - if (peerHTTPOkay(p, mem->request)) - return 0; - - return 1; -} - -/** - * I should attach these records to the entry. We take the first - * hit we get our wait until everyone misses. The timeout handler - * call needs to nip this shopping list or call one of the misses. - * - * If a hit process is already started, then sobeit - */ -void -neighborsUdpAck(const cache_key * key, icp_common_t * header, const Ip::Address &from) -{ - peer *p = NULL; - StoreEntry *entry; - MemObject *mem = NULL; - peer_t ntype = PEER_NONE; - icp_opcode opcode = (icp_opcode) header->opcode; - - debugs(15, 6, "neighborsUdpAck: opcode " << opcode << " '" << storeKeyText(key) << "'"); - - if (NULL != (entry = Store::Root().get(key))) - mem = entry->mem_obj; - - if ((p = whichPeer(from))) - neighborAlive(p, mem, header); - - if (opcode > ICP_END) - return; - - const char *opcode_d = icp_opcode_str[opcode]; - - if (p) - neighborUpdateRtt(p, mem); - - /* Does the entry exist? */ - if (NULL == entry) { - debugs(12, 3, "neighborsUdpAck: Cache key '" << storeKeyText(key) << "' not found"); - neighborCountIgnored(p); - return; - } - - /* check if someone is already fetching it */ - if (EBIT_TEST(entry->flags, ENTRY_DISPATCHED)) { - debugs(15, 3, "neighborsUdpAck: '" << storeKeyText(key) << "' already being fetched."); - neighborCountIgnored(p); - return; - } - - if (mem == NULL) { - debugs(15, 2, "Ignoring " << opcode_d << " for missing mem_obj: " << storeKeyText(key)); - neighborCountIgnored(p); - return; - } - - if (entry->ping_status != PING_WAITING) { - debugs(15, 2, "neighborsUdpAck: Late " << opcode_d << " for " << storeKeyText(key)); - neighborCountIgnored(p); - return; - } - - if (entry->lock_count == 0) { - debugs(12, 1, "neighborsUdpAck: '" << storeKeyText(key) << "' has no locks"); - neighborCountIgnored(p); - return; - } - - debugs(15, 3, "neighborsUdpAck: " << opcode_d << " for '" << storeKeyText(key) << "' from " << (p ? p->host : "source") << " "); - - if (p) { - ntype = neighborType(p, mem->request); - } - - if (ignoreMulticastReply(p, mem)) { - neighborCountIgnored(p); - } else if (opcode == ICP_MISS) { - if (p == NULL) { - neighborIgnoreNonPeer(from, opcode); - } else { - mem->ping_reply_callback(p, ntype, PROTO_ICP, header, mem->ircb_data); - } - } else if (opcode == ICP_HIT) { - if (p == NULL) { - neighborIgnoreNonPeer(from, opcode); - } else { - header->opcode = ICP_HIT; - mem->ping_reply_callback(p, ntype, PROTO_ICP, header, mem->ircb_data); - } - } else if (opcode == ICP_DECHO) { - if (p == NULL) { - neighborIgnoreNonPeer(from, opcode); - } else if (ntype == PEER_SIBLING) { - debug_trap("neighborsUdpAck: Found non-ICP cache as SIBLING\n"); - debug_trap("neighborsUdpAck: non-ICP neighbors must be a PARENT\n"); - } else { - mem->ping_reply_callback(p, ntype, PROTO_ICP, header, mem->ircb_data); - } - } else if (opcode == ICP_SECHO) { - if (p) { - debugs(15, 1, "Ignoring SECHO from neighbor " << p->host); - neighborCountIgnored(p); - } else { - debugs(15, 1, "Unsolicited SECHO from " << from); - } - } else if (opcode == ICP_DENIED) { - if (p == NULL) { - neighborIgnoreNonPeer(from, opcode); - } else if (p->stats.pings_acked > 100) { - if (100 * p->icp.counts[ICP_DENIED] / p->stats.pings_acked > 95) { - debugs(15, 0, "95%% of replies from '" << p->host << "' are UDP_DENIED"); - debugs(15, 0, "Disabling '" << p->host << "', please check your configuration."); - neighborRemove(p); - p = NULL; - } else { - neighborCountIgnored(p); - } - } - } else if (opcode == ICP_MISS_NOFETCH) { - mem->ping_reply_callback(p, ntype, PROTO_ICP, header, mem->ircb_data); - } else { - debugs(15, 0, "neighborsUdpAck: Unexpected ICP reply: " << opcode_d); - } -} - -peer * -peerFindByName(const char *name) -{ - peer *p = NULL; - - for (p = Config.peers; p; p = p->next) { - if (!strcasecmp(name, p->name)) - break; - } - - return p; -} - -peer * -peerFindByNameAndPort(const char *name, unsigned short port) -{ - peer *p = NULL; - - for (p = Config.peers; p; p = p->next) { - if (strcasecmp(name, p->name)) - continue; - - if (port != p->http_port) - continue; - - break; - } - - return p; -} - -int -neighborUp(const peer * p) -{ - if (!p->tcp_up) { - if (!peerProbeConnect((peer *) p)) { - debugs(15, 8, "neighborUp: DOWN (probed): " << p->host << " (" << p->in_addr << ")"); - return 0; - } - } - - /* - * The peer can not be UP if we don't have any IP addresses - * for it. - */ - if (0 == p->n_addresses) { - debugs(15, 8, "neighborUp: DOWN (no-ip): " << p->host << " (" << p->in_addr << ")"); - return 0; - } - - if (p->options.no_query) { - debugs(15, 8, "neighborUp: UP (no-query): " << p->host << " (" << p->in_addr << ")"); - return 1; - } - - if (p->stats.probe_start != 0 && - squid_curtime - p->stats.probe_start > Config.Timeout.deadPeer) { - debugs(15, 8, "neighborUp: DOWN (dead): " << p->host << " (" << p->in_addr << ")"); - return 0; - } - - debugs(15, 8, "neighborUp: UP: " << p->host << " (" << p->in_addr << ")"); - return 1; -} - -void -peerDestroy(void *data) -{ - peer *p = (peer *)data; - - struct _domain_ping *l = NULL; - - struct _domain_ping *nl = NULL; - - if (p == NULL) - return; - - for (l = p->peer_domain; l; l = nl) { - nl = l->next; - safe_free(l->domain); - safe_free(l); - } - - safe_free(p->host); - safe_free(p->name); - safe_free(p->domain); -#if USE_CACHE_DIGESTS - - cbdataReferenceDone(p->digest); -#endif -} - -void -peerNoteDigestGone(peer * p) -{ -#if USE_CACHE_DIGESTS - cbdataReferenceDone(p->digest); -#endif -} - -static void -peerDNSConfigure(const ipcache_addrs *ia, const DnsLookupDetails &, void *data) -{ - peer *p = (peer *)data; - - int j; - - if (p->n_addresses == 0) { - debugs(15, 1, "Configuring " << neighborTypeStr(p) << " " << p->host << "/" << p->http_port << "/" << p->icp.port); - - if (p->type == PEER_MULTICAST) - debugs(15, 1, " Multicast TTL = " << p->mcast.ttl); - } - - p->n_addresses = 0; - - if (ia == NULL) { - debugs(0, 0, "WARNING: DNS lookup for '" << p->host << "' failed!"); - return; - } - - if ((int) ia->count < 1) { - debugs(0, 0, "WARNING: No IP address found for '" << p->host << "'!"); - return; - } - - p->tcp_up = p->connect_fail_limit; - - for (j = 0; j < (int) ia->count && j < PEER_MAX_ADDRESSES; j++) { - p->addresses[j] = ia->in_addrs[j]; - debugs(15, 2, "--> IP address #" << j << ": " << p->addresses[j]); - p->n_addresses++; - } - - p->in_addr.SetEmpty(); - p->in_addr = p->addresses[0]; - p->in_addr.SetPort(p->icp.port); - - if (p->type == PEER_MULTICAST) - peerCountMcastPeersSchedule(p, 10); - -#if USE_ICMP - if (p->type != PEER_MULTICAST) - if (!p->options.no_netdb_exchange) - eventAddIsh("netdbExchangeStart", netdbExchangeStart, p, 30.0, 1); -#endif - -} - -static void -peerRefreshDNS(void *data) -{ - peer *p = NULL; - - if (eventFind(peerRefreshDNS, NULL)) - eventDelete(peerRefreshDNS, NULL); - - if (!data && 0 == stat5minClientRequests()) { - /* no recent client traffic, wait a bit */ - eventAddIsh("peerRefreshDNS", peerRefreshDNS, NULL, 180.0, 1); - return; - } - - for (p = Config.peers; p; p = p->next) - ipcache_nbgethostbyname(p->host, peerDNSConfigure, p); - - /* Reconfigure the peers every hour */ - eventAddIsh("peerRefreshDNS", peerRefreshDNS, NULL, 3600.0, 1); -} - -static void -peerConnectFailedSilent(peer * p) -{ - p->stats.last_connect_failure = squid_curtime; - - if (!p->tcp_up) { - debugs(15, 2, "TCP connection to " << p->host << "/" << p->http_port << - " dead"); - return; - } - - p->tcp_up--; - - if (!p->tcp_up) { - debugs(15, 1, "Detected DEAD " << neighborTypeStr(p) << ": " << p->name); - p->stats.logged_state = PEER_DEAD; - } -} - -void -peerConnectFailed(peer *p) -{ - debugs(15, 1, "TCP connection to " << p->host << "/" << p->http_port << " failed"); - peerConnectFailedSilent(p); -} - -void -peerConnectSucceded(peer * p) -{ - if (!p->tcp_up) { - debugs(15, 2, "TCP connection to " << p->host << "/" << p->http_port << " succeded"); - p->tcp_up = p->connect_fail_limit; // NP: so peerAlive(p) works properly. - peerAlive(p); - if (!p->n_addresses) - ipcache_nbgethostbyname(p->host, peerDNSConfigure, p); - } else - p->tcp_up = p->connect_fail_limit; -} - -/// called by Comm when test_fd is closed while connect is in progress -static void -peerProbeClosed(int fd, void *data) -{ - peer *p = (peer*)data; - p->test_fd = -1; - // it is a failure because we failed to connect - peerConnectFailedSilent(p); -} - -static void -peerProbeConnectTimeout(int fd, void *data) -{ - peer * p = (peer *)data; - comm_remove_close_handler(fd, &peerProbeClosed, p); - comm_close(fd); - p->test_fd = -1; - peerConnectFailedSilent(p); -} - -/* -* peerProbeConnect will be called on dead peers by neighborUp -*/ -static int -peerProbeConnect(peer * p) -{ - int fd; - time_t ctimeout = p->connect_timeout > 0 ? p->connect_timeout - : Config.Timeout.peer_connect; - int ret = squid_curtime - p->stats.last_connect_failure > ctimeout * 10; - - if (p->test_fd != -1) - return ret;/* probe already running */ - - if (squid_curtime - p->stats.last_connect_probe == 0) - return ret;/* don't probe to often */ - - Ip::Address temp(getOutgoingAddr(NULL,p)); - - fd = comm_open(SOCK_STREAM, IPPROTO_TCP, temp, COMM_NONBLOCKING, p->host); - - if (fd < 0) - return ret; - - comm_add_close_handler(fd, &peerProbeClosed, p); - commSetTimeout(fd, ctimeout, peerProbeConnectTimeout, p); - - p->test_fd = fd; - - p->stats.last_connect_probe = squid_curtime; - - commConnectStart(p->test_fd, - p->host, - p->http_port, - peerProbeConnectDone, - p); - - return ret; -} - -static void -peerProbeConnectDone(int fd, const DnsLookupDetails &, comm_err_t status, int xerrno, void *data) -{ - peer *p = (peer*)data; - - if (status == COMM_OK) { - peerConnectSucceded(p); - } else { - peerConnectFailedSilent(p); - } - - comm_remove_close_handler(fd, &peerProbeClosed, p); - comm_close(fd); - p->test_fd = -1; - return; -} - -static void -peerCountMcastPeersSchedule(peer * p, time_t when) -{ - if (p->mcast.flags.count_event_pending) - return; - - eventAdd("peerCountMcastPeersStart", - peerCountMcastPeersStart, - p, - (double) when, 1); - - p->mcast.flags.count_event_pending = 1; -} - -static void -peerCountMcastPeersStart(void *data) -{ - peer *p = (peer *)data; - ps_state *psstate; - StoreEntry *fake; - MemObject *mem; - icp_common_t *query; - int reqnum; - LOCAL_ARRAY(char, url, MAX_URL); - assert(p->type == PEER_MULTICAST); - p->mcast.flags.count_event_pending = 0; - snprintf(url, MAX_URL, "http://"); - p->in_addr.ToURL(url+7, MAX_URL -8 ); - strcat(url, "/"); - fake = storeCreateEntry(url, url, request_flags(), METHOD_GET); - HttpRequest *req = HttpRequest::CreateFromUrl(url); - psstate = new ps_state; - psstate->request = HTTPMSGLOCK(req); - psstate->entry = fake; - psstate->callback = NULL; - psstate->callback_data = cbdataReference(p); - psstate->ping.start = current_time; - mem = fake->mem_obj; - mem->request = HTTPMSGLOCK(psstate->request); - mem->start_ping = current_time; - mem->ping_reply_callback = peerCountHandleIcpReply; - mem->ircb_data = psstate; - mcastSetTtl(theOutIcpConnection, p->mcast.ttl); - p->mcast.id = mem->id; - reqnum = icpSetCacheKey((const cache_key *)fake->key); - query = _icp_common_t::createMessage(ICP_QUERY, 0, url, reqnum, 0); - icpUdpSend(theOutIcpConnection, - p->in_addr, - query, - LOG_ICP_QUERY, - 0); - fake->ping_status = PING_WAITING; - eventAdd("peerCountMcastPeersDone", - peerCountMcastPeersDone, - psstate, - Config.Timeout.mcast_icp_query / 1000.0, 1); - p->mcast.flags.counting = 1; - peerCountMcastPeersSchedule(p, MCAST_COUNT_RATE); -} - -static void -peerCountMcastPeersDone(void *data) -{ - ps_state *psstate = (ps_state *)data; - StoreEntry *fake = psstate->entry; - - if (cbdataReferenceValid(psstate->callback_data)) { - peer *p = (peer *)psstate->callback_data; - p->mcast.flags.counting = 0; - p->mcast.avg_n_members = Math::doubleAverage(p->mcast.avg_n_members, (double) psstate->ping.n_recv, ++p->mcast.n_times_counted, 10); - debugs(15, 1, "Group " << p->host << ": " << psstate->ping.n_recv << - " replies, "<< std::setw(4)<< std::setprecision(2) << - p->mcast.avg_n_members <<" average, RTT " << p->stats.rtt); - p->mcast.n_replies_expected = (int) p->mcast.avg_n_members; - } - - cbdataReferenceDone(psstate->callback_data); - - EBIT_SET(fake->flags, ENTRY_ABORTED); - HTTPMSGUNLOCK(fake->mem_obj->request); - fake->releaseRequest(); - fake->unlock(); - HTTPMSGUNLOCK(psstate->request); - cbdataFree(psstate); -} - -static void -peerCountHandleIcpReply(peer * p, peer_t type, protocol_t proto, void *hdrnotused, void *data) -{ - int rtt_av_factor; - - ps_state *psstate = (ps_state *)data; - StoreEntry *fake = psstate->entry; - MemObject *mem = fake->mem_obj; - int rtt = tvSubMsec(mem->start_ping, current_time); - assert(proto == PROTO_ICP); - assert(fake); - assert(mem); - psstate->ping.n_recv++; - rtt_av_factor = RTT_AV_FACTOR; - - if (p->options.weighted_roundrobin) - rtt_av_factor = RTT_BACKGROUND_AV_FACTOR; - - p->stats.rtt = Math::intAverage(p->stats.rtt, rtt, psstate->ping.n_recv, rtt_av_factor); -} - -static void -neighborDumpPeers(StoreEntry * sentry) -{ - dump_peers(sentry, Config.peers); -} - -static void -neighborDumpNonPeers(StoreEntry * sentry) -{ - dump_peers(sentry, non_peers); -} - -void -dump_peer_options(StoreEntry * sentry, peer * p) -{ - if (p->options.proxy_only) - storeAppendPrintf(sentry, " proxy-only"); - - if (p->options.no_query) - storeAppendPrintf(sentry, " no-query"); - - if (p->options.background_ping) - storeAppendPrintf(sentry, " background-ping"); - - if (p->options.no_digest) - storeAppendPrintf(sentry, " no-digest"); - - if (p->options.default_parent) - storeAppendPrintf(sentry, " default"); - - if (p->options.roundrobin) - storeAppendPrintf(sentry, " round-robin"); - - if (p->options.carp) - storeAppendPrintf(sentry, " carp"); - - if (p->options.userhash) - storeAppendPrintf(sentry, " userhash"); - - if (p->options.userhash) - storeAppendPrintf(sentry, " sourcehash"); - - if (p->options.weighted_roundrobin) - storeAppendPrintf(sentry, " weighted-round-robin"); - - if (p->options.mcast_responder) - storeAppendPrintf(sentry, " multicast-responder"); - -#if PEER_MULTICAST_SIBLINGS - if (p->options.mcast_siblings) - storeAppendPrintf(sentry, " multicast-siblings"); -#endif - - if (p->weight != 1) - storeAppendPrintf(sentry, " weight=%d", p->weight); - - if (p->options.closest_only) - storeAppendPrintf(sentry, " closest-only"); - -#if USE_HTCP - if (p->options.htcp) - storeAppendPrintf(sentry, " htcp"); - if (p->options.htcp_oldsquid) - storeAppendPrintf(sentry, " htcp-oldsquid"); - if (p->options.htcp_no_clr) - storeAppendPrintf(sentry, " htcp-no-clr"); - if (p->options.htcp_no_purge_clr) - storeAppendPrintf(sentry, " htcp-no-purge-clr"); - if (p->options.htcp_only_clr) - storeAppendPrintf(sentry, " htcp-only-clr"); -#endif - - if (p->options.no_netdb_exchange) - storeAppendPrintf(sentry, " no-netdb-exchange"); - -#if DELAY_POOLS - - if (p->options.no_delay) - storeAppendPrintf(sentry, " no-delay"); - -#endif - - if (p->login) - storeAppendPrintf(sentry, " login=%s", p->login); - - if (p->mcast.ttl > 0) - storeAppendPrintf(sentry, " ttl=%d", p->mcast.ttl); - - if (p->connect_timeout > 0) - storeAppendPrintf(sentry, " connect-timeout=%d", (int) p->connect_timeout); - - if (p->connect_fail_limit != PEER_TCP_MAGIC_COUNT) - storeAppendPrintf(sentry, " connect-fail-limit=%d", p->connect_fail_limit); - -#if USE_CACHE_DIGESTS - - if (p->digest_url) - storeAppendPrintf(sentry, " digest-url=%s", p->digest_url); - -#endif - - if (p->options.allow_miss) - storeAppendPrintf(sentry, " allow-miss"); - - if (p->options.no_tproxy) - storeAppendPrintf(sentry, " no-tproxy"); - - if (p->max_conn > 0) - storeAppendPrintf(sentry, " max-conn=%d", p->max_conn); - - if (p->options.originserver) - storeAppendPrintf(sentry, " originserver"); - - if (p->domain) - storeAppendPrintf(sentry, " forceddomain=%s", p->domain); - - if (p->connection_auth == 0) - storeAppendPrintf(sentry, " connection-auth=off"); - else if (p->connection_auth == 1) - storeAppendPrintf(sentry, " connection-auth=on"); - else if (p->connection_auth == 2) - storeAppendPrintf(sentry, " connection-auth=auto"); - - storeAppendPrintf(sentry, "\n"); -} - -static void -dump_peers(StoreEntry * sentry, peer * peers) -{ - peer *e = NULL; - char ntoabuf[MAX_IPSTRLEN]; - struct _domain_ping *d = NULL; - icp_opcode op; - int i; - - if (peers == NULL) - storeAppendPrintf(sentry, "There are no neighbors installed.\n"); - - for (e = peers; e; e = e->next) { - assert(e->host != NULL); - storeAppendPrintf(sentry, "\n%-11.11s: %s\n", - neighborTypeStr(e), - e->name); - storeAppendPrintf(sentry, "Host : %s/%d/%d\n", - e->host, - e->http_port, - e->icp.port); - storeAppendPrintf(sentry, "Flags :"); - dump_peer_options(sentry, e); - - for (i = 0; i < e->n_addresses; i++) { - storeAppendPrintf(sentry, "Address[%d] : %s\n", i, - e->addresses[i].NtoA(ntoabuf,MAX_IPSTRLEN) ); - } - - storeAppendPrintf(sentry, "Status : %s\n", - neighborUp(e) ? "Up" : "Down"); - storeAppendPrintf(sentry, "FETCHES : %d\n", e->stats.fetches); - storeAppendPrintf(sentry, "OPEN CONNS : %d\n", e->stats.conn_open); - storeAppendPrintf(sentry, "AVG RTT : %d msec\n", e->stats.rtt); - - if (!e->options.no_query) { - storeAppendPrintf(sentry, "LAST QUERY : %8d seconds ago\n", - (int) (squid_curtime - e->stats.last_query)); - - if (e->stats.last_reply > 0) - storeAppendPrintf(sentry, "LAST REPLY : %8d seconds ago\n", - (int) (squid_curtime - e->stats.last_reply)); - else - storeAppendPrintf(sentry, "LAST REPLY : none received\n"); - - storeAppendPrintf(sentry, "PINGS SENT : %8d\n", e->stats.pings_sent); - - storeAppendPrintf(sentry, "PINGS ACKED: %8d %3d%%\n", - e->stats.pings_acked, - Math::intPercent(e->stats.pings_acked, e->stats.pings_sent)); - } - - storeAppendPrintf(sentry, "IGNORED : %8d %3d%%\n", e->stats.ignored_replies, Math::intPercent(e->stats.ignored_replies, e->stats.pings_acked)); - - if (!e->options.no_query) { - storeAppendPrintf(sentry, "Histogram of PINGS ACKED:\n"); -#if USE_HTCP - - if (e->options.htcp) { - storeAppendPrintf(sentry, "\tMisses\t%8d %3d%%\n", - e->htcp.counts[0], - Math::intPercent(e->htcp.counts[0], e->stats.pings_acked)); - storeAppendPrintf(sentry, "\tHits\t%8d %3d%%\n", - e->htcp.counts[1], - Math::intPercent(e->htcp.counts[1], e->stats.pings_acked)); - } else { -#endif - - for (op = ICP_INVALID; op < ICP_END; ++op) { - if (e->icp.counts[op] == 0) - continue; - - storeAppendPrintf(sentry, " %12.12s : %8d %3d%%\n", - icp_opcode_str[op], - e->icp.counts[op], - Math::intPercent(e->icp.counts[op], e->stats.pings_acked)); - } - -#if USE_HTCP - - } - -#endif - - } - - if (e->stats.last_connect_failure) { - storeAppendPrintf(sentry, "Last failed connect() at: %s\n", - mkhttpdlogtime(&(e->stats.last_connect_failure))); - } - - if (e->peer_domain != NULL) { - storeAppendPrintf(sentry, "DOMAIN LIST: "); - - for (d = e->peer_domain; d; d = d->next) { - storeAppendPrintf(sentry, "%s%s ", - d->do_ping ? null_string : "!", d->domain); - } - - storeAppendPrintf(sentry, "\n"); - } - - storeAppendPrintf(sentry, "keep-alive ratio: %d%%\n", Math::intPercent(e->stats.n_keepalives_recv, e->stats.n_keepalives_sent)); - } -} - -#if USE_HTCP -void -neighborsHtcpReply(const cache_key * key, htcpReplyData * htcp, const Ip::Address &from) -{ - StoreEntry *e = Store::Root().get(key); - MemObject *mem = NULL; - peer *p; - peer_t ntype = PEER_NONE; - debugs(15, 6, "neighborsHtcpReply: " << - (htcp->hit ? "HIT" : "MISS") << " " << - storeKeyText(key) ); - - if (NULL != e) - mem = e->mem_obj; - - if ((p = whichPeer(from))) - neighborAliveHtcp(p, mem, htcp); - - /* Does the entry exist? */ - if (NULL == e) { - debugs(12, 3, "neighyborsHtcpReply: Cache key '" << storeKeyText(key) << "' not found"); - neighborCountIgnored(p); - return; - } - - /* check if someone is already fetching it */ - if (EBIT_TEST(e->flags, ENTRY_DISPATCHED)) { - debugs(15, 3, "neighborsUdpAck: '" << storeKeyText(key) << "' already being fetched."); - neighborCountIgnored(p); - return; - } - - if (mem == NULL) { - debugs(15, 2, "Ignoring reply for missing mem_obj: " << storeKeyText(key)); - neighborCountIgnored(p); - return; - } - - if (e->ping_status != PING_WAITING) { - debugs(15, 2, "neighborsUdpAck: Entry " << storeKeyText(key) << " is not PING_WAITING"); - neighborCountIgnored(p); - return; - } - - if (e->lock_count == 0) { - debugs(12, 1, "neighborsUdpAck: '" << storeKeyText(key) << "' has no locks"); - neighborCountIgnored(p); - return; - } - - if (p) { - ntype = neighborType(p, mem->request); - neighborUpdateRtt(p, mem); - } - - if (ignoreMulticastReply(p, mem)) { - neighborCountIgnored(p); - return; - } - - debugs(15, 3, "neighborsHtcpReply: e = " << e); - mem->ping_reply_callback(p, ntype, PROTO_HTCP, htcp, mem->ircb_data); -} - -/* - * Send HTCP CLR messages to all peers configured to receive them. - */ -void -neighborsHtcpClear(StoreEntry * e, const char *uri, HttpRequest * req, const HttpRequestMethod &method, htcp_clr_reason reason) -{ - peer *p; - char buf[128]; - - for (p = Config.peers; p; p = p->next) { - if (!p->options.htcp) { - continue; - } - if (p->options.htcp_no_clr) { - continue; - } - if (p->options.htcp_no_purge_clr && reason == HTCP_CLR_PURGE) { - continue; - } - debugs(15, 3, "neighborsHtcpClear: sending CLR to " << p->in_addr.ToURL(buf, 128)); - htcpClear(e, uri, req, method, p, reason); - } -} - -#endif +/* + * DEBUG: section 15 Neighbor Routines + * AUTHOR: Harvest Derived + * + * SQUID Web Proxy Cache http://www.squid-cache.org/ + * ---------------------------------------------------------- + * + * Squid is the result of efforts by numerous individuals from + * the Internet community; see the CONTRIBUTORS file for full + * details. Many organizations have provided support for Squid's + * development; see the SPONSORS file for full details. Squid is + * Copyrighted (C) 2001 by the Regents of the University of + * California; see the COPYRIGHT file for full details. Squid + * incorporates software developed and/or copyrighted by other + * sources; see the CREDITS file for full details. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + */ + +#include "squid.h" +#include "ProtoPort.h" +#include "acl/FilledChecklist.h" +#include "event.h" +#include "CacheManager.h" +#include "htcp.h" +#include "HttpRequest.h" +#include "ICP.h" +#include "MemObject.h" +#include "PeerDigest.h" +#include "PeerSelectState.h" +#include "SquidMath.h" +#include "SquidTime.h" +#include "Store.h" +#include "icmp/net_db.h" +#include "ip/Address.h" + +/* count mcast group peers every 15 minutes */ +#define MCAST_COUNT_RATE 900 + +int peerAllowedToUse(const peer *, HttpRequest *); +static int peerWouldBePinged(const peer *, HttpRequest *); +static void neighborRemove(peer *); +static void neighborAlive(peer *, const MemObject *, const icp_common_t *); +#if USE_HTCP +static void neighborAliveHtcp(peer *, const MemObject *, const htcpReplyData *); +#endif +static void neighborCountIgnored(peer *); +static void peerRefreshDNS(void *); +static IPH peerDNSConfigure; +static int peerProbeConnect(peer *); +static CNCB peerProbeConnectDone; +static void peerCountMcastPeersDone(void *data); +static void peerCountMcastPeersStart(void *data); +static void peerCountMcastPeersSchedule(peer * p, time_t when); +static IRCB peerCountHandleIcpReply; + +static void neighborIgnoreNonPeer(const Ip::Address &, icp_opcode); +static OBJH neighborDumpPeers; +static OBJH neighborDumpNonPeers; +static void dump_peers(StoreEntry * sentry, peer * peers); + +static icp_common_t echo_hdr; +static u_short echo_port; + +static int NLateReplies = 0; +static peer *first_ping = NULL; + +const char * +neighborTypeStr(const peer * p) +{ + if (p->type == PEER_NONE) + return "Non-Peer"; + + if (p->type == PEER_SIBLING) + return "Sibling"; + + if (p->type == PEER_MULTICAST) + return "Multicast Group"; + + return "Parent"; +} + + +peer * +whichPeer(const Ip::Address &from) +{ + int j; + + peer *p = NULL; + debugs(15, 3, "whichPeer: from " << from); + + for (p = Config.peers; p; p = p->next) { + for (j = 0; j < p->n_addresses; j++) { + if (from == p->addresses[j] && from.GetPort() == p->icp.port) { + return p; + } + } + } + + return NULL; +} + +peer_t +neighborType(const peer * p, const HttpRequest * request) +{ + + const struct _domain_type *d = NULL; + + for (d = p->typelist; d; d = d->next) { + if (0 == matchDomainName(request->GetHost(), d->domain)) + if (d->type != PEER_NONE) + return d->type; + } +#if PEER_MULTICAST_SIBLINGS + if (p->type == PEER_MULTICAST) + if (p->options.mcast_siblings) + return PEER_SIBLING; +#endif + + return p->type; +} + +/* + * peerAllowedToUse + * + * this function figures out if it is appropriate to fetch REQUEST + * from PEER. + */ +int +peerAllowedToUse(const peer * p, HttpRequest * request) +{ + + const struct _domain_ping *d = NULL; + int do_ping = 1; + assert(request != NULL); + + if (neighborType(p, request) == PEER_SIBLING) { +#if PEER_MULTICAST_SIBLINGS + if (p->type == PEER_MULTICAST && p->options.mcast_siblings && + (request->flags.nocache || request->flags.refresh || request->flags.loopdetect || request->flags.need_validation)) + debugs(15, 2, "peerAllowedToUse(" << p->name << ", " << request->GetHost() << ") : multicast-siblings optimization match"); +#endif + if (request->flags.nocache) + return 0; + + /*Ignore refresh flag if access_sibling_for_stale_resource flag is on unless allow_miss is enabled for this peer + (needed to avoid forwarding loops).*/ + if (request->flags.refresh && !Config.onoff.access_sibling_for_stale_resource || + request->flags.refresh && p->options.allow_miss) + return 0; + + if (request->flags.loopdetect) + return 0; + + /*Ignore need_validation flag if access_sibling_for_stale_resource flag is on unless allow_miss is enabled for this peer + (needed to avoid forwarding loops).*/ + if (request->flags.need_validation && !Config.onoff.access_sibling_for_stale_resource || + request->flags.need_validation && p->options.allow_miss) + return 0; + } + + if (p->peer_domain == NULL && p->access == NULL) + return do_ping; + + do_ping = 0; + + for (d = p->peer_domain; d; d = d->next) { + if (0 == matchDomainName(request->GetHost(), d->domain)) { + do_ping = d->do_ping; + break; + } + + do_ping = !d->do_ping; + } + + if (p->peer_domain && 0 == do_ping) + return do_ping; + + if (p->access == NULL) + return do_ping; + + ACLFilledChecklist checklist(p->access, request, NULL); + checklist.src_addr = request->client_addr; + checklist.my_addr = request->my_addr; + +#if 0 && USE_IDENT + /* + * this is currently broken because 'request->user_ident' has been + * moved to conn->rfc931 and we don't have access to the parent + * ConnStateData here. + */ + if (request->user_ident[0]) + xstrncpy(checklist.rfc931, request->user_ident, USER_IDENT_SZ); + +#endif + + return checklist.fastCheck(); +} + +/* Return TRUE if it is okay to send an ICP request to this peer. */ +static int +peerWouldBePinged(const peer * p, HttpRequest * request) +{ + if (!peerAllowedToUse(p, request)) + return 0; + + if (p->options.no_query) + return 0; + + if (p->options.background_ping && (squid_curtime - p->stats.last_query < Config.backgroundPingRate)) + return 0; + + if (p->options.mcast_responder) + return 0; + + if (p->n_addresses == 0) + return 0; + + if (p->icp.port == 0) + return 0; + + /* the case below seems strange, but can happen if the + * URL host is on the other side of a firewall */ + if (p->type == PEER_SIBLING) + if (!request->flags.hierarchical) + return 0; + + /* Ping dead peers every timeout interval */ + if (squid_curtime - p->stats.last_query > Config.Timeout.deadPeer) + return 1; + + if (!neighborUp(p)) + return 0; + + return 1; +} + +/* Return TRUE if it is okay to send an HTTP request to this peer. */ +int +peerHTTPOkay(const peer * p, HttpRequest * request) +{ + if (!peerAllowedToUse(p, request)) + return 0; + + if (!neighborUp(p)) + return 0; + + if (p->max_conn) + if (p->stats.conn_open >= p->max_conn) + return 0; + + return 1; +} + +int +neighborsCount(HttpRequest * request) +{ + peer *p = NULL; + int count = 0; + + for (p = Config.peers; p; p = p->next) + if (peerWouldBePinged(p, request)) + count++; + + debugs(15, 3, "neighborsCount: " << count); + + return count; +} + +peer * +getFirstUpParent(HttpRequest * request) +{ + peer *p = NULL; + + for (p = Config.peers; p; p = p->next) { + if (!neighborUp(p)) + continue; + + if (neighborType(p, request) != PEER_PARENT) + continue; + + if (!peerHTTPOkay(p, request)) + continue; + + break; + } + + debugs(15, 3, "getFirstUpParent: returning " << (p ? p->host : "NULL")); + return p; +} + +peer * +getRoundRobinParent(HttpRequest * request) +{ + peer *p; + peer *q = NULL; + + for (p = Config.peers; p; p = p->next) { + if (!p->options.roundrobin) + continue; + + if (neighborType(p, request) != PEER_PARENT) + continue; + + if (!peerHTTPOkay(p, request)) + continue; + + if (p->weight == 0) + continue; + + if (q) { + if (p->weight == q->weight) { + if (q->rr_count < p->rr_count) + continue; + } else if ( (double) q->rr_count / q->weight < (double) p->rr_count / p->weight) { + continue; + } + } + + q = p; + } + + if (q) + q->rr_count++; + + debugs(15, 3, HERE << "returning " << (q ? q->host : "NULL")); + + return q; +} + +peer * +getWeightedRoundRobinParent(HttpRequest * request) +{ + peer *p; + peer *q = NULL; + int weighted_rtt; + + for (p = Config.peers; p; p = p->next) { + if (!p->options.weighted_roundrobin) + continue; + + if (neighborType(p, request) != PEER_PARENT) + continue; + + if (!peerHTTPOkay(p, request)) + continue; + + if (q && q->rr_count < p->rr_count) + continue; + + q = p; + } + + if (q && q->rr_count > 1000000) + for (p = Config.peers; p; p = p->next) { + if (!p->options.weighted_roundrobin) + continue; + + if (neighborType(p, request) != PEER_PARENT) + continue; + + p->rr_count = 0; + } + + if (q) { + weighted_rtt = (q->stats.rtt - q->basetime) / q->weight; + + if (weighted_rtt < 1) + weighted_rtt = 1; + + q->rr_count += weighted_rtt; + + debugs(15, 3, "getWeightedRoundRobinParent: weighted_rtt " << weighted_rtt); + } + + debugs(15, 3, "getWeightedRoundRobinParent: returning " << (q ? q->host : "NULL")); + return q; +} + +/** + * This gets called every 5 minutes to clear the round-robin counter. + * The exact timing is an arbitrary default, set on estimate timing of a + * large number of requests in a high-performance environment during the + * period. The larger the number of requests between cycled resets the + * more balanced the operations. + * + \param data unused. + \todo Make the reset timing a selectable parameter in squid.conf + */ +static void +peerClearRRLoop(void *data) +{ + peerClearRR(); + eventAdd("peerClearRR", peerClearRRLoop, data, 5 * 60.0, 0); +} + +/** + * This gets called on startup and restart to kick off the peer round-robin + * maintenance event. It ensures that no matter how many times its called + * no more than one event is scheduled. + */ +void +peerClearRRStart(void) +{ + static int event_added = 0; + if (!event_added) { + peerClearRRLoop(NULL); + } +} + +/** + * Called whenever the round-robin counters need to be reset to a sane state. + * So far those times are: + * - On startup and reconfigure - to set the counters to sane initial settings. + * - When a peer has revived from dead, to prevent the revived peer being + * flooded with requests which it has 'missed' during the down period. + */ +void +peerClearRR() +{ + peer *p = NULL; + for (p = Config.peers; p; p = p->next) { + p->rr_count = 0; + } +} + +/** + * Perform all actions when a peer is detected revived. + */ +void +peerAlive(peer *p) +{ + if (p->stats.logged_state == PEER_DEAD && p->tcp_up) { + debugs(15, 1, "Detected REVIVED " << neighborTypeStr(p) << ": " << p->name); + p->stats.logged_state = PEER_ALIVE; + peerClearRR(); + } + + p->stats.last_reply = squid_curtime; + p->stats.probe_start = 0; +} + +peer * +getDefaultParent(HttpRequest * request) +{ + peer *p = NULL; + + for (p = Config.peers; p; p = p->next) { + if (neighborType(p, request) != PEER_PARENT) + continue; + + if (!p->options.default_parent) + continue; + + if (!peerHTTPOkay(p, request)) + continue; + + debugs(15, 3, "getDefaultParent: returning " << p->host); + + return p; + } + + debugs(15, 3, "getDefaultParent: returning NULL"); + return NULL; +} + +/* + * XXX DW thinks this function is equivalent to/redundant with + * getFirstUpParent(). peerHTTPOkay() only returns true if the + * peer is UP anyway, so this function would not return a + * DOWN parent. + */ +peer * +getAnyParent(HttpRequest * request) +{ + peer *p = NULL; + + for (p = Config.peers; p; p = p->next) { + if (neighborType(p, request) != PEER_PARENT) + continue; + + if (!peerHTTPOkay(p, request)) + continue; + + debugs(15, 3, "getAnyParent: returning " << p->host); + + return p; + } + + debugs(15, 3, "getAnyParent: returning NULL"); + return NULL; +} + +peer * +getNextPeer(peer * p) +{ + return p->next; +} + +peer * +getFirstPeer(void) +{ + return Config.peers; +} + +static void +neighborRemove(peer * target) +{ + peer *p = NULL; + peer **P = NULL; + p = Config.peers; + P = &Config.peers; + + while (p) { + if (target == p) + break; + + P = &p->next; + + p = p->next; + } + + if (p) { + *P = p->next; + cbdataFree(p); + Config.npeers--; + } + + first_ping = Config.peers; +} + +static void +neighborsRegisterWithCacheManager() +{ + CacheManager *manager = CacheManager::GetInstance(); + manager->registerAction("server_list", + "Peer Cache Statistics", + neighborDumpPeers, 0, 1); + + if (theInIcpConnection >= 0) { + manager->registerAction("non_peers", + "List of Unknown sites sending ICP messages", + neighborDumpNonPeers, 0, 1); + } +} + +void +neighbors_init(void) +{ + Ip::Address nul; + struct addrinfo *AI = NULL; + struct servent *sep = NULL; + const char *me = getMyHostname(); + peer *thisPeer = NULL; + peer *next = NULL; + int fd = theInIcpConnection; + + neighborsRegisterWithCacheManager(); + + /* setup addrinfo for use */ + nul.InitAddrInfo(AI); + + if (fd >= 0) { + + if (getsockname(fd, AI->ai_addr, &AI->ai_addrlen) < 0) + debugs(15, 1, "getsockname(" << fd << "," << AI->ai_addr << "," << &AI->ai_addrlen << ") failed."); + + for (thisPeer = Config.peers; thisPeer; thisPeer = next) { + http_port_list *s = NULL; + next = thisPeer->next; + + if (0 != strcmp(thisPeer->host, me)) + continue; + + for (s = Config.Sockaddr.http; s; s = s->next) { + if (thisPeer->http_port != s->s.GetPort()) + continue; + + debugs(15, 1, "WARNING: Peer looks like this host"); + + debugs(15, 1, " Ignoring " << + neighborTypeStr(thisPeer) << " " << thisPeer->host << + "/" << thisPeer->http_port << "/" << + thisPeer->icp.port); + + neighborRemove(thisPeer); + } + } + } + + peerRefreshDNS((void *) 1); + + if (ICP_INVALID == echo_hdr.opcode) { + echo_hdr.opcode = ICP_SECHO; + echo_hdr.version = ICP_VERSION_CURRENT; + echo_hdr.length = 0; + echo_hdr.reqnum = 0; + echo_hdr.flags = 0; + echo_hdr.pad = 0; + nul = *AI; + nul.GetInAddr( *((struct in_addr*)&echo_hdr.shostid) ); + sep = getservbyname("echo", "udp"); + echo_port = sep ? ntohs((u_short) sep->s_port) : 7; + } + + first_ping = Config.peers; + nul.FreeAddrInfo(AI); +} + +int +neighborsUdpPing(HttpRequest * request, + StoreEntry * entry, + IRCB * callback, + void *callback_data, + int *exprep, + int *timeout) +{ + const char *url = entry->url(); + MemObject *mem = entry->mem_obj; + peer *p = NULL; + int i; + int reqnum = 0; + int flags; + icp_common_t *query; + int queries_sent = 0; + int peers_pinged = 0; + int parent_timeout = 0, parent_exprep = 0; + int sibling_timeout = 0, sibling_exprep = 0; + int mcast_timeout = 0, mcast_exprep = 0; + + if (Config.peers == NULL) + return 0; + + assert(entry->swap_status == SWAPOUT_NONE); + + mem->start_ping = current_time; + + mem->ping_reply_callback = callback; + + mem->ircb_data = callback_data; + + reqnum = icpSetCacheKey((const cache_key *)entry->key); + + for (i = 0, p = first_ping; i++ < Config.npeers; p = p->next) { + if (p == NULL) + p = Config.peers; + + debugs(15, 5, "neighborsUdpPing: Peer " << p->host); + + if (!peerWouldBePinged(p, request)) + continue; /* next peer */ + + peers_pinged++; + + debugs(15, 4, "neighborsUdpPing: pinging peer " << p->host << " for '" << url << "'"); + + debugs(15, 3, "neighborsUdpPing: key = '" << entry->getMD5Text() << "'"); + + debugs(15, 3, "neighborsUdpPing: reqnum = " << reqnum); + +#if USE_HTCP + if (p->options.htcp && !p->options.htcp_only_clr) { + if (Config.Port.htcp <= 0) { + debugs(15, DBG_CRITICAL, "HTCP is disabled! Cannot send HTCP request to peer."); + continue; + } + + debugs(15, 3, "neighborsUdpPing: sending HTCP query"); + if (htcpQuery(entry, request, p) <= 0) continue; // unable to send. + } else +#endif + { + if (Config.Port.icp <= 0 || theOutIcpConnection <= 0) { + debugs(15, DBG_CRITICAL, "ICP is disabled! Cannot send ICP request to peer."); + continue; + } else { + + if (p->type == PEER_MULTICAST) + mcastSetTtl(theOutIcpConnection, p->mcast.ttl); + + if (p->icp.port == echo_port) { + debugs(15, 4, "neighborsUdpPing: Looks like a dumb cache, send DECHO ping"); + echo_hdr.reqnum = reqnum; + query = _icp_common_t::createMessage(ICP_DECHO, 0, url, reqnum, 0); + icpUdpSend(theOutIcpConnection,p->in_addr,query,LOG_ICP_QUERY,0); + } else { + flags = 0; + + if (Config.onoff.query_icmp) + if (p->icp.version == ICP_VERSION_2) + flags |= ICP_FLAG_SRC_RTT; + + query = _icp_common_t::createMessage(ICP_QUERY, flags, url, reqnum, 0); + + icpUdpSend(theOutIcpConnection, p->in_addr, query, LOG_ICP_QUERY, 0); + } + } + } + + queries_sent++; + + p->stats.pings_sent++; + + if (p->type == PEER_MULTICAST) { + mcast_exprep += p->mcast.n_replies_expected; + mcast_timeout += (p->stats.rtt * p->mcast.n_replies_expected); + } else if (neighborUp(p)) { + /* its alive, expect a reply from it */ + + if (neighborType(p, request) == PEER_PARENT) { + parent_exprep++; + parent_timeout += p->stats.rtt; + } else { + sibling_exprep++; + sibling_timeout += p->stats.rtt; + } + } else { + /* Neighbor is dead; ping it anyway, but don't expect a reply */ + /* log it once at the threshold */ + + if (p->stats.logged_state == PEER_ALIVE) { + debugs(15, 1, "Detected DEAD " << neighborTypeStr(p) << ": " << p->name); + p->stats.logged_state = PEER_DEAD; + } + } + + p->stats.last_query = squid_curtime; + + /* + * keep probe_start == 0 for a multicast peer, + * so neighborUp() never says this peer is dead. + */ + + if ((p->type != PEER_MULTICAST) && (p->stats.probe_start == 0)) + p->stats.probe_start = squid_curtime; + } + + if ((first_ping = first_ping->next) == NULL) + first_ping = Config.peers; + + /* + * How many replies to expect? + */ + *exprep = parent_exprep + sibling_exprep + mcast_exprep; + + /* + * If there is a configured timeout, use it + */ + if (Config.Timeout.icp_query) + *timeout = Config.Timeout.icp_query; + else { + if (*exprep > 0) { + if (parent_exprep) + *timeout = 2 * parent_timeout / parent_exprep; + else if (mcast_exprep) + *timeout = 2 * mcast_timeout / mcast_exprep; + else + *timeout = 2 * sibling_timeout / sibling_exprep; + } else + *timeout = 2000; /* 2 seconds */ + + if (Config.Timeout.icp_query_max) + if (*timeout > Config.Timeout.icp_query_max) + *timeout = Config.Timeout.icp_query_max; + + if (*timeout < Config.Timeout.icp_query_min) + *timeout = Config.Timeout.icp_query_min; + } + + return peers_pinged; +} + +/* lookup the digest of a given peer */ +lookup_t +peerDigestLookup(peer * p, HttpRequest * request) +{ +#if USE_CACHE_DIGESTS + const cache_key *key = request ? storeKeyPublicByRequest(request) : NULL; + assert(p); + assert(request); + debugs(15, 5, "peerDigestLookup: peer " << p->host); + /* does the peeer have a valid digest? */ + + if (!p->digest) { + debugs(15, 5, "peerDigestLookup: gone!"); + return LOOKUP_NONE; + } else if (!peerHTTPOkay(p, request)) { + debugs(15, 5, "peerDigestLookup: !peerHTTPOkay"); + return LOOKUP_NONE; + } else if (!p->digest->flags.needed) { + debugs(15, 5, "peerDigestLookup: note need"); + peerDigestNeeded(p->digest); + return LOOKUP_NONE; + } else if (!p->digest->flags.usable) { + debugs(15, 5, "peerDigestLookup: !ready && " << (p->digest->flags.requested ? "" : "!") << "requested"); + return LOOKUP_NONE; + } + + debugs(15, 5, "peerDigestLookup: OK to lookup peer " << p->host); + assert(p->digest->cd); + /* does digest predict a hit? */ + + if (!cacheDigestTest(p->digest->cd, key)) + return LOOKUP_MISS; + + debugs(15, 5, "peerDigestLookup: peer " << p->host << " says HIT!"); + + return LOOKUP_HIT; + +#endif + + return LOOKUP_NONE; +} + +/* select best peer based on cache digests */ +peer * +neighborsDigestSelect(HttpRequest * request) +{ + peer *best_p = NULL; +#if USE_CACHE_DIGESTS + + const cache_key *key; + int best_rtt = 0; + int choice_count = 0; + int ichoice_count = 0; + peer *p; + int p_rtt; + int i; + + if (!request->flags.hierarchical) + return NULL; + + key = storeKeyPublicByRequest(request); + + for (i = 0, p = first_ping; i++ < Config.npeers; p = p->next) { + lookup_t lookup; + + if (!p) + p = Config.peers; + + if (i == 1) + first_ping = p; + + lookup = peerDigestLookup(p, request); + + if (lookup == LOOKUP_NONE) + continue; + + choice_count++; + + if (lookup == LOOKUP_MISS) + continue; + + p_rtt = netdbHostRtt(p->host); + + debugs(15, 5, "neighborsDigestSelect: peer " << p->host << " rtt: " << p_rtt); + + /* is this peer better than others in terms of rtt ? */ + if (!best_p || (p_rtt && p_rtt < best_rtt)) { + best_p = p; + best_rtt = p_rtt; + + if (p_rtt) /* informative choice (aka educated guess) */ + ichoice_count++; + + debugs(15, 4, "neighborsDigestSelect: peer " << p->host << " leads with rtt " << best_rtt); + } + } + + debugs(15, 4, "neighborsDigestSelect: choices: " << choice_count << " (" << ichoice_count << ")"); + peerNoteDigestLookup(request, best_p, + best_p ? LOOKUP_HIT : (choice_count ? LOOKUP_MISS : LOOKUP_NONE)); + request->hier.n_choices = choice_count; + request->hier.n_ichoices = ichoice_count; +#endif + + return best_p; +} + +void +peerNoteDigestLookup(HttpRequest * request, peer * p, lookup_t lookup) +{ +#if USE_CACHE_DIGESTS + if (p) + strncpy(request->hier.cd_host, p->host, sizeof(request->hier.cd_host)); + else + *request->hier.cd_host = '\0'; + + request->hier.cd_lookup = lookup; + debugs(15, 4, "peerNoteDigestLookup: peer " << (p? p->host : "") << ", lookup: " << lookup_t_str[lookup] ); +#endif +} + +static void +neighborAlive(peer * p, const MemObject * mem, const icp_common_t * header) +{ + peerAlive(p); + p->stats.pings_acked++; + + if ((icp_opcode) header->opcode <= ICP_END) + p->icp.counts[header->opcode]++; + + p->icp.version = (int) header->version; +} + +static void +neighborUpdateRtt(peer * p, MemObject * mem) +{ + int rtt, rtt_av_factor; + + if (!mem) + return; + + if (!mem->start_ping.tv_sec) + return; + + rtt = tvSubMsec(mem->start_ping, current_time); + + if (rtt < 1 || rtt > 10000) + return; + + rtt_av_factor = RTT_AV_FACTOR; + + if (p->options.weighted_roundrobin) + rtt_av_factor = RTT_BACKGROUND_AV_FACTOR; + + p->stats.rtt = Math::intAverage(p->stats.rtt, rtt, p->stats.pings_acked, rtt_av_factor); +} + +#if USE_HTCP +static void +neighborAliveHtcp(peer * p, const MemObject * mem, const htcpReplyData * htcp) +{ + peerAlive(p); + p->stats.pings_acked++; + p->htcp.counts[htcp->hit ? 1 : 0]++; + p->htcp.version = htcp->version; +} + +#endif + +static void +neighborCountIgnored(peer * p) +{ + if (p == NULL) + return; + + p->stats.ignored_replies++; + + NLateReplies++; +} + +static peer *non_peers = NULL; + +static void +neighborIgnoreNonPeer(const Ip::Address &from, icp_opcode opcode) +{ + peer *np; + + for (np = non_peers; np; np = np->next) { + if (np->in_addr != from) + continue; + + if (np->in_addr.GetPort() != from.GetPort()) + continue; + + break; + } + + if (np == NULL) { + np = (peer *)xcalloc(1, sizeof(peer)); + np->in_addr = from; + np->icp.port = from.GetPort(); + np->type = PEER_NONE; + np->host = new char[MAX_IPSTRLEN]; + from.NtoA(np->host,MAX_IPSTRLEN); + np->next = non_peers; + non_peers = np; + } + + np->icp.counts[opcode]++; + + if (isPowTen(++np->stats.ignored_replies)) + debugs(15, 1, "WARNING: Ignored " << np->stats.ignored_replies << " replies from non-peer " << np->host); +} + +/* ignoreMulticastReply + * + * * We want to ignore replies from multicast peers if the + * * cache_host_domain rules would normally prevent the peer + * * from being used + */ +static int +ignoreMulticastReply(peer * p, MemObject * mem) +{ + if (p == NULL) + return 0; + + if (!p->options.mcast_responder) + return 0; + + if (peerHTTPOkay(p, mem->request)) + return 0; + + return 1; +} + +/** + * I should attach these records to the entry. We take the first + * hit we get our wait until everyone misses. The timeout handler + * call needs to nip this shopping list or call one of the misses. + * + * If a hit process is already started, then sobeit + */ +void +neighborsUdpAck(const cache_key * key, icp_common_t * header, const Ip::Address &from) +{ + peer *p = NULL; + StoreEntry *entry; + MemObject *mem = NULL; + peer_t ntype = PEER_NONE; + icp_opcode opcode = (icp_opcode) header->opcode; + + debugs(15, 6, "neighborsUdpAck: opcode " << opcode << " '" << storeKeyText(key) << "'"); + + if (NULL != (entry = Store::Root().get(key))) + mem = entry->mem_obj; + + if ((p = whichPeer(from))) + neighborAlive(p, mem, header); + + if (opcode > ICP_END) + return; + + const char *opcode_d = icp_opcode_str[opcode]; + + if (p) + neighborUpdateRtt(p, mem); + + /* Does the entry exist? */ + if (NULL == entry) { + debugs(12, 3, "neighborsUdpAck: Cache key '" << storeKeyText(key) << "' not found"); + neighborCountIgnored(p); + return; + } + + /* check if someone is already fetching it */ + if (EBIT_TEST(entry->flags, ENTRY_DISPATCHED)) { + debugs(15, 3, "neighborsUdpAck: '" << storeKeyText(key) << "' already being fetched."); + neighborCountIgnored(p); + return; + } + + if (mem == NULL) { + debugs(15, 2, "Ignoring " << opcode_d << " for missing mem_obj: " << storeKeyText(key)); + neighborCountIgnored(p); + return; + } + + if (entry->ping_status != PING_WAITING) { + debugs(15, 2, "neighborsUdpAck: Late " << opcode_d << " for " << storeKeyText(key)); + neighborCountIgnored(p); + return; + } + + if (entry->lock_count == 0) { + debugs(12, 1, "neighborsUdpAck: '" << storeKeyText(key) << "' has no locks"); + neighborCountIgnored(p); + return; + } + + debugs(15, 3, "neighborsUdpAck: " << opcode_d << " for '" << storeKeyText(key) << "' from " << (p ? p->host : "source") << " "); + + if (p) { + ntype = neighborType(p, mem->request); + } + + if (ignoreMulticastReply(p, mem)) { + neighborCountIgnored(p); + } else if (opcode == ICP_MISS) { + if (p == NULL) { + neighborIgnoreNonPeer(from, opcode); + } else { + mem->ping_reply_callback(p, ntype, PROTO_ICP, header, mem->ircb_data); + } + } else if (opcode == ICP_HIT) { + if (p == NULL) { + neighborIgnoreNonPeer(from, opcode); + } else { + header->opcode = ICP_HIT; + mem->ping_reply_callback(p, ntype, PROTO_ICP, header, mem->ircb_data); + } + } else if (opcode == ICP_DECHO) { + if (p == NULL) { + neighborIgnoreNonPeer(from, opcode); + } else if (ntype == PEER_SIBLING) { + debug_trap("neighborsUdpAck: Found non-ICP cache as SIBLING\n"); + debug_trap("neighborsUdpAck: non-ICP neighbors must be a PARENT\n"); + } else { + mem->ping_reply_callback(p, ntype, PROTO_ICP, header, mem->ircb_data); + } + } else if (opcode == ICP_SECHO) { + if (p) { + debugs(15, 1, "Ignoring SECHO from neighbor " << p->host); + neighborCountIgnored(p); + } else { + debugs(15, 1, "Unsolicited SECHO from " << from); + } + } else if (opcode == ICP_DENIED) { + if (p == NULL) { + neighborIgnoreNonPeer(from, opcode); + } else if (p->stats.pings_acked > 100) { + if (100 * p->icp.counts[ICP_DENIED] / p->stats.pings_acked > 95) { + debugs(15, 0, "95%% of replies from '" << p->host << "' are UDP_DENIED"); + debugs(15, 0, "Disabling '" << p->host << "', please check your configuration."); + neighborRemove(p); + p = NULL; + } else { + neighborCountIgnored(p); + } + } + } else if (opcode == ICP_MISS_NOFETCH) { + mem->ping_reply_callback(p, ntype, PROTO_ICP, header, mem->ircb_data); + } else { + debugs(15, 0, "neighborsUdpAck: Unexpected ICP reply: " << opcode_d); + } +} + +peer * +peerFindByName(const char *name) +{ + peer *p = NULL; + + for (p = Config.peers; p; p = p->next) { + if (!strcasecmp(name, p->name)) + break; + } + + return p; +} + +peer * +peerFindByNameAndPort(const char *name, unsigned short port) +{ + peer *p = NULL; + + for (p = Config.peers; p; p = p->next) { + if (strcasecmp(name, p->name)) + continue; + + if (port != p->http_port) + continue; + + break; + } + + return p; +} + +int +neighborUp(const peer * p) +{ + if (!p->tcp_up) { + if (!peerProbeConnect((peer *) p)) { + debugs(15, 8, "neighborUp: DOWN (probed): " << p->host << " (" << p->in_addr << ")"); + return 0; + } + } + + /* + * The peer can not be UP if we don't have any IP addresses + * for it. + */ + if (0 == p->n_addresses) { + debugs(15, 8, "neighborUp: DOWN (no-ip): " << p->host << " (" << p->in_addr << ")"); + return 0; + } + + if (p->options.no_query) { + debugs(15, 8, "neighborUp: UP (no-query): " << p->host << " (" << p->in_addr << ")"); + return 1; + } + + if (p->stats.probe_start != 0 && + squid_curtime - p->stats.probe_start > Config.Timeout.deadPeer) { + debugs(15, 8, "neighborUp: DOWN (dead): " << p->host << " (" << p->in_addr << ")"); + return 0; + } + + debugs(15, 8, "neighborUp: UP: " << p->host << " (" << p->in_addr << ")"); + return 1; +} + +void +peerDestroy(void *data) +{ + peer *p = (peer *)data; + + struct _domain_ping *l = NULL; + + struct _domain_ping *nl = NULL; + + if (p == NULL) + return; + + for (l = p->peer_domain; l; l = nl) { + nl = l->next; + safe_free(l->domain); + safe_free(l); + } + + safe_free(p->host); + safe_free(p->name); + safe_free(p->domain); +#if USE_CACHE_DIGESTS + + cbdataReferenceDone(p->digest); +#endif +} + +void +peerNoteDigestGone(peer * p) +{ +#if USE_CACHE_DIGESTS + cbdataReferenceDone(p->digest); +#endif +} + +static void +peerDNSConfigure(const ipcache_addrs *ia, const DnsLookupDetails &, void *data) +{ + peer *p = (peer *)data; + + int j; + + if (p->n_addresses == 0) { + debugs(15, 1, "Configuring " << neighborTypeStr(p) << " " << p->host << "/" << p->http_port << "/" << p->icp.port); + + if (p->type == PEER_MULTICAST) + debugs(15, 1, " Multicast TTL = " << p->mcast.ttl); + } + + p->n_addresses = 0; + + if (ia == NULL) { + debugs(0, 0, "WARNING: DNS lookup for '" << p->host << "' failed!"); + return; + } + + if ((int) ia->count < 1) { + debugs(0, 0, "WARNING: No IP address found for '" << p->host << "'!"); + return; + } + + p->tcp_up = p->connect_fail_limit; + + for (j = 0; j < (int) ia->count && j < PEER_MAX_ADDRESSES; j++) { + p->addresses[j] = ia->in_addrs[j]; + debugs(15, 2, "--> IP address #" << j << ": " << p->addresses[j]); + p->n_addresses++; + } + + p->in_addr.SetEmpty(); + p->in_addr = p->addresses[0]; + p->in_addr.SetPort(p->icp.port); + + if (p->type == PEER_MULTICAST) + peerCountMcastPeersSchedule(p, 10); + +#if USE_ICMP + if (p->type != PEER_MULTICAST) + if (!p->options.no_netdb_exchange) + eventAddIsh("netdbExchangeStart", netdbExchangeStart, p, 30.0, 1); +#endif + +} + +static void +peerRefreshDNS(void *data) +{ + peer *p = NULL; + + if (eventFind(peerRefreshDNS, NULL)) + eventDelete(peerRefreshDNS, NULL); + + if (!data && 0 == stat5minClientRequests()) { + /* no recent client traffic, wait a bit */ + eventAddIsh("peerRefreshDNS", peerRefreshDNS, NULL, 180.0, 1); + return; + } + + for (p = Config.peers; p; p = p->next) + ipcache_nbgethostbyname(p->host, peerDNSConfigure, p); + + /* Reconfigure the peers every hour */ + eventAddIsh("peerRefreshDNS", peerRefreshDNS, NULL, 3600.0, 1); +} + +static void +peerConnectFailedSilent(peer * p) +{ + p->stats.last_connect_failure = squid_curtime; + + if (!p->tcp_up) { + debugs(15, 2, "TCP connection to " << p->host << "/" << p->http_port << + " dead"); + return; + } + + p->tcp_up--; + + if (!p->tcp_up) { + debugs(15, 1, "Detected DEAD " << neighborTypeStr(p) << ": " << p->name); + p->stats.logged_state = PEER_DEAD; + } +} + +void +peerConnectFailed(peer *p) +{ + debugs(15, 1, "TCP connection to " << p->host << "/" << p->http_port << " failed"); + peerConnectFailedSilent(p); +} + +void +peerConnectSucceded(peer * p) +{ + if (!p->tcp_up) { + debugs(15, 2, "TCP connection to " << p->host << "/" << p->http_port << " succeded"); + p->tcp_up = p->connect_fail_limit; // NP: so peerAlive(p) works properly. + peerAlive(p); + if (!p->n_addresses) + ipcache_nbgethostbyname(p->host, peerDNSConfigure, p); + } else + p->tcp_up = p->connect_fail_limit; +} + +/// called by Comm when test_fd is closed while connect is in progress +static void +peerProbeClosed(int fd, void *data) +{ + peer *p = (peer*)data; + p->test_fd = -1; + // it is a failure because we failed to connect + peerConnectFailedSilent(p); +} + +static void +peerProbeConnectTimeout(int fd, void *data) +{ + peer * p = (peer *)data; + comm_remove_close_handler(fd, &peerProbeClosed, p); + comm_close(fd); + p->test_fd = -1; + peerConnectFailedSilent(p); +} + +/* +* peerProbeConnect will be called on dead peers by neighborUp +*/ +static int +peerProbeConnect(peer * p) +{ + int fd; + time_t ctimeout = p->connect_timeout > 0 ? p->connect_timeout + : Config.Timeout.peer_connect; + int ret = squid_curtime - p->stats.last_connect_failure > ctimeout * 10; + + if (p->test_fd != -1) + return ret;/* probe already running */ + + if (squid_curtime - p->stats.last_connect_probe == 0) + return ret;/* don't probe to often */ + + Ip::Address temp(getOutgoingAddr(NULL,p)); + + fd = comm_open(SOCK_STREAM, IPPROTO_TCP, temp, COMM_NONBLOCKING, p->host); + + if (fd < 0) + return ret; + + comm_add_close_handler(fd, &peerProbeClosed, p); + commSetTimeout(fd, ctimeout, peerProbeConnectTimeout, p); + + p->test_fd = fd; + + p->stats.last_connect_probe = squid_curtime; + + commConnectStart(p->test_fd, + p->host, + p->http_port, + peerProbeConnectDone, + p); + + return ret; +} + +static void +peerProbeConnectDone(int fd, const DnsLookupDetails &, comm_err_t status, int xerrno, void *data) +{ + peer *p = (peer*)data; + + if (status == COMM_OK) { + peerConnectSucceded(p); + } else { + peerConnectFailedSilent(p); + } + + comm_remove_close_handler(fd, &peerProbeClosed, p); + comm_close(fd); + p->test_fd = -1; + return; +} + +static void +peerCountMcastPeersSchedule(peer * p, time_t when) +{ + if (p->mcast.flags.count_event_pending) + return; + + eventAdd("peerCountMcastPeersStart", + peerCountMcastPeersStart, + p, + (double) when, 1); + + p->mcast.flags.count_event_pending = 1; +} + +static void +peerCountMcastPeersStart(void *data) +{ + peer *p = (peer *)data; + ps_state *psstate; + StoreEntry *fake; + MemObject *mem; + icp_common_t *query; + int reqnum; + LOCAL_ARRAY(char, url, MAX_URL); + assert(p->type == PEER_MULTICAST); + p->mcast.flags.count_event_pending = 0; + snprintf(url, MAX_URL, "http://"); + p->in_addr.ToURL(url+7, MAX_URL -8 ); + strcat(url, "/"); + fake = storeCreateEntry(url, url, request_flags(), METHOD_GET); + HttpRequest *req = HttpRequest::CreateFromUrl(url); + psstate = new ps_state; + psstate->request = HTTPMSGLOCK(req); + psstate->entry = fake; + psstate->callback = NULL; + psstate->callback_data = cbdataReference(p); + psstate->ping.start = current_time; + mem = fake->mem_obj; + mem->request = HTTPMSGLOCK(psstate->request); + mem->start_ping = current_time; + mem->ping_reply_callback = peerCountHandleIcpReply; + mem->ircb_data = psstate; + mcastSetTtl(theOutIcpConnection, p->mcast.ttl); + p->mcast.id = mem->id; + reqnum = icpSetCacheKey((const cache_key *)fake->key); + query = _icp_common_t::createMessage(ICP_QUERY, 0, url, reqnum, 0); + icpUdpSend(theOutIcpConnection, + p->in_addr, + query, + LOG_ICP_QUERY, + 0); + fake->ping_status = PING_WAITING; + eventAdd("peerCountMcastPeersDone", + peerCountMcastPeersDone, + psstate, + Config.Timeout.mcast_icp_query / 1000.0, 1); + p->mcast.flags.counting = 1; + peerCountMcastPeersSchedule(p, MCAST_COUNT_RATE); +} + +static void +peerCountMcastPeersDone(void *data) +{ + ps_state *psstate = (ps_state *)data; + StoreEntry *fake = psstate->entry; + + if (cbdataReferenceValid(psstate->callback_data)) { + peer *p = (peer *)psstate->callback_data; + p->mcast.flags.counting = 0; + p->mcast.avg_n_members = Math::doubleAverage(p->mcast.avg_n_members, (double) psstate->ping.n_recv, ++p->mcast.n_times_counted, 10); + debugs(15, 1, "Group " << p->host << ": " << psstate->ping.n_recv << + " replies, "<< std::setw(4)<< std::setprecision(2) << + p->mcast.avg_n_members <<" average, RTT " << p->stats.rtt); + p->mcast.n_replies_expected = (int) p->mcast.avg_n_members; + } + + cbdataReferenceDone(psstate->callback_data); + + EBIT_SET(fake->flags, ENTRY_ABORTED); + HTTPMSGUNLOCK(fake->mem_obj->request); + fake->releaseRequest(); + fake->unlock(); + HTTPMSGUNLOCK(psstate->request); + cbdataFree(psstate); +} + +static void +peerCountHandleIcpReply(peer * p, peer_t type, protocol_t proto, void *hdrnotused, void *data) +{ + int rtt_av_factor; + + ps_state *psstate = (ps_state *)data; + StoreEntry *fake = psstate->entry; + MemObject *mem = fake->mem_obj; + int rtt = tvSubMsec(mem->start_ping, current_time); + assert(proto == PROTO_ICP); + assert(fake); + assert(mem); + psstate->ping.n_recv++; + rtt_av_factor = RTT_AV_FACTOR; + + if (p->options.weighted_roundrobin) + rtt_av_factor = RTT_BACKGROUND_AV_FACTOR; + + p->stats.rtt = Math::intAverage(p->stats.rtt, rtt, psstate->ping.n_recv, rtt_av_factor); +} + +static void +neighborDumpPeers(StoreEntry * sentry) +{ + dump_peers(sentry, Config.peers); +} + +static void +neighborDumpNonPeers(StoreEntry * sentry) +{ + dump_peers(sentry, non_peers); +} + +void +dump_peer_options(StoreEntry * sentry, peer * p) +{ + if (p->options.proxy_only) + storeAppendPrintf(sentry, " proxy-only"); + + if (p->options.no_query) + storeAppendPrintf(sentry, " no-query"); + + if (p->options.background_ping) + storeAppendPrintf(sentry, " background-ping"); + + if (p->options.no_digest) + storeAppendPrintf(sentry, " no-digest"); + + if (p->options.default_parent) + storeAppendPrintf(sentry, " default"); + + if (p->options.roundrobin) + storeAppendPrintf(sentry, " round-robin"); + + if (p->options.carp) + storeAppendPrintf(sentry, " carp"); + + if (p->options.userhash) + storeAppendPrintf(sentry, " userhash"); + + if (p->options.userhash) + storeAppendPrintf(sentry, " sourcehash"); + + if (p->options.weighted_roundrobin) + storeAppendPrintf(sentry, " weighted-round-robin"); + + if (p->options.mcast_responder) + storeAppendPrintf(sentry, " multicast-responder"); + +#if PEER_MULTICAST_SIBLINGS + if (p->options.mcast_siblings) + storeAppendPrintf(sentry, " multicast-siblings"); +#endif + + if (p->weight != 1) + storeAppendPrintf(sentry, " weight=%d", p->weight); + + if (p->options.closest_only) + storeAppendPrintf(sentry, " closest-only"); + +#if USE_HTCP + if (p->options.htcp) + storeAppendPrintf(sentry, " htcp"); + if (p->options.htcp_oldsquid) + storeAppendPrintf(sentry, " htcp-oldsquid"); + if (p->options.htcp_no_clr) + storeAppendPrintf(sentry, " htcp-no-clr"); + if (p->options.htcp_no_purge_clr) + storeAppendPrintf(sentry, " htcp-no-purge-clr"); + if (p->options.htcp_only_clr) + storeAppendPrintf(sentry, " htcp-only-clr"); +#endif + + if (p->options.no_netdb_exchange) + storeAppendPrintf(sentry, " no-netdb-exchange"); + +#if DELAY_POOLS + + if (p->options.no_delay) + storeAppendPrintf(sentry, " no-delay"); + +#endif + + if (p->login) + storeAppendPrintf(sentry, " login=%s", p->login); + + if (p->mcast.ttl > 0) + storeAppendPrintf(sentry, " ttl=%d", p->mcast.ttl); + + if (p->connect_timeout > 0) + storeAppendPrintf(sentry, " connect-timeout=%d", (int) p->connect_timeout); + + if (p->connect_fail_limit != PEER_TCP_MAGIC_COUNT) + storeAppendPrintf(sentry, " connect-fail-limit=%d", p->connect_fail_limit); + +#if USE_CACHE_DIGESTS + + if (p->digest_url) + storeAppendPrintf(sentry, " digest-url=%s", p->digest_url); + +#endif + + if (p->options.allow_miss) + storeAppendPrintf(sentry, " allow-miss"); + + if (p->options.no_tproxy) + storeAppendPrintf(sentry, " no-tproxy"); + + if (p->max_conn > 0) + storeAppendPrintf(sentry, " max-conn=%d", p->max_conn); + + if (p->options.originserver) + storeAppendPrintf(sentry, " originserver"); + + if (p->domain) + storeAppendPrintf(sentry, " forceddomain=%s", p->domain); + + if (p->connection_auth == 0) + storeAppendPrintf(sentry, " connection-auth=off"); + else if (p->connection_auth == 1) + storeAppendPrintf(sentry, " connection-auth=on"); + else if (p->connection_auth == 2) + storeAppendPrintf(sentry, " connection-auth=auto"); + + storeAppendPrintf(sentry, "\n"); +} + +static void +dump_peers(StoreEntry * sentry, peer * peers) +{ + peer *e = NULL; + char ntoabuf[MAX_IPSTRLEN]; + struct _domain_ping *d = NULL; + icp_opcode op; + int i; + + if (peers == NULL) + storeAppendPrintf(sentry, "There are no neighbors installed.\n"); + + for (e = peers; e; e = e->next) { + assert(e->host != NULL); + storeAppendPrintf(sentry, "\n%-11.11s: %s\n", + neighborTypeStr(e), + e->name); + storeAppendPrintf(sentry, "Host : %s/%d/%d\n", + e->host, + e->http_port, + e->icp.port); + storeAppendPrintf(sentry, "Flags :"); + dump_peer_options(sentry, e); + + for (i = 0; i < e->n_addresses; i++) { + storeAppendPrintf(sentry, "Address[%d] : %s\n", i, + e->addresses[i].NtoA(ntoabuf,MAX_IPSTRLEN) ); + } + + storeAppendPrintf(sentry, "Status : %s\n", + neighborUp(e) ? "Up" : "Down"); + storeAppendPrintf(sentry, "FETCHES : %d\n", e->stats.fetches); + storeAppendPrintf(sentry, "OPEN CONNS : %d\n", e->stats.conn_open); + storeAppendPrintf(sentry, "AVG RTT : %d msec\n", e->stats.rtt); + + if (!e->options.no_query) { + storeAppendPrintf(sentry, "LAST QUERY : %8d seconds ago\n", + (int) (squid_curtime - e->stats.last_query)); + + if (e->stats.last_reply > 0) + storeAppendPrintf(sentry, "LAST REPLY : %8d seconds ago\n", + (int) (squid_curtime - e->stats.last_reply)); + else + storeAppendPrintf(sentry, "LAST REPLY : none received\n"); + + storeAppendPrintf(sentry, "PINGS SENT : %8d\n", e->stats.pings_sent); + + storeAppendPrintf(sentry, "PINGS ACKED: %8d %3d%%\n", + e->stats.pings_acked, + Math::intPercent(e->stats.pings_acked, e->stats.pings_sent)); + } + + storeAppendPrintf(sentry, "IGNORED : %8d %3d%%\n", e->stats.ignored_replies, Math::intPercent(e->stats.ignored_replies, e->stats.pings_acked)); + + if (!e->options.no_query) { + storeAppendPrintf(sentry, "Histogram of PINGS ACKED:\n"); +#if USE_HTCP + + if (e->options.htcp) { + storeAppendPrintf(sentry, "\tMisses\t%8d %3d%%\n", + e->htcp.counts[0], + Math::intPercent(e->htcp.counts[0], e->stats.pings_acked)); + storeAppendPrintf(sentry, "\tHits\t%8d %3d%%\n", + e->htcp.counts[1], + Math::intPercent(e->htcp.counts[1], e->stats.pings_acked)); + } else { +#endif + + for (op = ICP_INVALID; op < ICP_END; ++op) { + if (e->icp.counts[op] == 0) + continue; + + storeAppendPrintf(sentry, " %12.12s : %8d %3d%%\n", + icp_opcode_str[op], + e->icp.counts[op], + Math::intPercent(e->icp.counts[op], e->stats.pings_acked)); + } + +#if USE_HTCP + + } + +#endif + + } + + if (e->stats.last_connect_failure) { + storeAppendPrintf(sentry, "Last failed connect() at: %s\n", + mkhttpdlogtime(&(e->stats.last_connect_failure))); + } + + if (e->peer_domain != NULL) { + storeAppendPrintf(sentry, "DOMAIN LIST: "); + + for (d = e->peer_domain; d; d = d->next) { + storeAppendPrintf(sentry, "%s%s ", + d->do_ping ? null_string : "!", d->domain); + } + + storeAppendPrintf(sentry, "\n"); + } + + storeAppendPrintf(sentry, "keep-alive ratio: %d%%\n", Math::intPercent(e->stats.n_keepalives_recv, e->stats.n_keepalives_sent)); + } +} + +#if USE_HTCP +void +neighborsHtcpReply(const cache_key * key, htcpReplyData * htcp, const Ip::Address &from) +{ + StoreEntry *e = Store::Root().get(key); + MemObject *mem = NULL; + peer *p; + peer_t ntype = PEER_NONE; + debugs(15, 6, "neighborsHtcpReply: " << + (htcp->hit ? "HIT" : "MISS") << " " << + storeKeyText(key) ); + + if (NULL != e) + mem = e->mem_obj; + + if ((p = whichPeer(from))) + neighborAliveHtcp(p, mem, htcp); + + /* Does the entry exist? */ + if (NULL == e) { + debugs(12, 3, "neighyborsHtcpReply: Cache key '" << storeKeyText(key) << "' not found"); + neighborCountIgnored(p); + return; + } + + /* check if someone is already fetching it */ + if (EBIT_TEST(e->flags, ENTRY_DISPATCHED)) { + debugs(15, 3, "neighborsUdpAck: '" << storeKeyText(key) << "' already being fetched."); + neighborCountIgnored(p); + return; + } + + if (mem == NULL) { + debugs(15, 2, "Ignoring reply for missing mem_obj: " << storeKeyText(key)); + neighborCountIgnored(p); + return; + } + + if (e->ping_status != PING_WAITING) { + debugs(15, 2, "neighborsUdpAck: Entry " << storeKeyText(key) << " is not PING_WAITING"); + neighborCountIgnored(p); + return; + } + + if (e->lock_count == 0) { + debugs(12, 1, "neighborsUdpAck: '" << storeKeyText(key) << "' has no locks"); + neighborCountIgnored(p); + return; + } + + if (p) { + ntype = neighborType(p, mem->request); + neighborUpdateRtt(p, mem); + } + + if (ignoreMulticastReply(p, mem)) { + neighborCountIgnored(p); + return; + } + + debugs(15, 3, "neighborsHtcpReply: e = " << e); + mem->ping_reply_callback(p, ntype, PROTO_HTCP, htcp, mem->ircb_data); +} + +/* + * Send HTCP CLR messages to all peers configured to receive them. + */ +void +neighborsHtcpClear(StoreEntry * e, const char *uri, HttpRequest * req, const HttpRequestMethod &method, htcp_clr_reason reason) +{ + peer *p; + char buf[128]; + + for (p = Config.peers; p; p = p->next) { + if (!p->options.htcp) { + continue; + } + if (p->options.htcp_no_clr) { + continue; + } + if (p->options.htcp_no_purge_clr && reason == HTCP_CLR_PURGE) { + continue; + } + debugs(15, 3, "neighborsHtcpClear: sending CLR to " << p->in_addr.ToURL(buf, 128)); + htcpClear(e, uri, req, method, p, reason); + } +} + +#endif === modified file 'src/structs.h' --- src/structs.h 2010-04-17 02:29:04 +0000 +++ src/structs.h 2010-05-18 20:24:54 +0000 @@ -1,1308 +1,1309 @@ -/* - * SQUID Web Proxy Cache http://www.squid-cache.org/ - * ---------------------------------------------------------- - * - * Squid is the result of efforts by numerous individuals from - * the Internet community; see the CONTRIBUTORS file for full - * details. Many organizations have provided support for Squid's - * development; see the SPONSORS file for full details. Squid is - * Copyrighted (C) 2001 by the Regents of the University of - * California; see the COPYRIGHT file for full details. Squid - * incorporates software developed and/or copyrighted by other - * sources; see the CREDITS file for full details. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - * - */ -#ifndef SQUID_STRUCTS_H -#define SQUID_STRUCTS_H - -#include "config.h" -#include "RefCount.h" -#include "cbdata.h" -#include "dlink.h" -#include "err_type.h" - -/* needed for the global config */ -#include "HttpHeader.h" - -/* for ICP_END */ -#include "icp_opcode.h" - -#define PEER_MULTICAST_SIBLINGS 1 - -struct acl_name_list { - char name[ACL_NAME_SZ]; - acl_name_list *next; -}; - -struct acl_deny_info_list { - err_type err_page_id; - char *err_page_name; - acl_name_list *acl_list; - acl_deny_info_list *next; -}; - - -class acl_access; - -struct _header_mangler { - acl_access *access_list; - char *replacement; -}; - -class ACLChecklist; - -#if SQUID_SNMP - -struct _snmp_request_t { - u_char *buf; - u_char *outbuf; - int len; - int sock; - long reqid; - int outlen; - - Ip::Address from; - - struct snmp_pdu *PDU; - ACLChecklist *acl_checklist; - u_char *community; - - struct snmp_session session; -}; - -#endif - -class ACLList; - -struct acl_address { - acl_address *next; - ACLList *aclList; - - Ip::Address addr; -}; - -struct acl_tos { - acl_tos *next; - ACLList *aclList; - int tos; -}; - -struct acl_size_t { - acl_size_t *next; - ACLList *aclList; - int64_t size; -}; - -struct ushortlist { - u_short i; - ushortlist *next; -}; - -struct relist { - char *pattern; - regex_t regex; - relist *next; -}; - -#if DELAY_POOLS -#include "DelayConfig.h" -#endif - -#if USE_ICMP -#include "icmp/IcmpConfig.h" -#endif - -#include "HelperChildConfig.h" - -/* forward decl for SquidConfig, see RemovalPolicy.h */ - -class RemovalPolicySettings; -class external_acl; -class Store; - -struct SquidConfig { - - struct { - /* These should be for the Store::Root instance. - * this needs pluggable parsing to be done smoothly. - */ - int highWaterMark; - int lowWaterMark; - } Swap; - size_t memMaxSize; - - struct { - int64_t min; - int pct; - int64_t max; - } quickAbort; - int64_t readAheadGap; - RemovalPolicySettings *replPolicy; - RemovalPolicySettings *memPolicy; -#if HTTP_VIOLATIONS - time_t negativeTtl; -#endif - time_t negativeDnsTtl; - time_t positiveDnsTtl; - time_t shutdownLifetime; - time_t backgroundPingRate; - - struct { - time_t read; - time_t write; - time_t lifetime; - time_t connect; - time_t forward; - time_t peer_connect; - time_t request; - time_t persistent_request; - time_t pconn; - time_t siteSelect; - time_t deadPeer; - int icp_query; /* msec */ - int icp_query_max; /* msec */ - int icp_query_min; /* msec */ - int mcast_icp_query; /* msec */ - -#if !USE_DNSSERVERS - - time_t idns_retransmit; - time_t idns_query; -#endif - - } Timeout; - size_t maxRequestHeaderSize; - int64_t maxRequestBodySize; - int64_t maxChunkedRequestBodySize; - size_t maxReplyHeaderSize; - acl_size_t *ReplyBodySize; - - struct { - u_short icp; -#if USE_HTCP - - u_short htcp; -#endif -#if SQUID_SNMP - - u_short snmp; -#endif - } Port; - - struct { - http_port_list *http; -#if USE_SSL - - https_port_list *https; -#endif - - } Sockaddr; -#if SQUID_SNMP - - struct { - char *configFile; - char *agentInfo; - } Snmp; -#endif -#if USE_WCCP - - struct { - Ip::Address router; - Ip::Address address; - int version; - } Wccp; -#endif -#if USE_WCCPv2 - - struct { - Ip::Address_list *router; - Ip::Address address; - int forwarding_method; - int return_method; - int assignment_method; - int weight; - int rebuildwait; - void *info; - } Wccp2; -#endif - -#if USE_ICMP - IcmpConfig pinger; -#endif - - char *as_whois_server; - - struct { - char *store; - char *swap; -#if USE_USERAGENT_LOG - - char *useragent; -#endif -#if USE_REFERER_LOG - - char *referer; -#endif -#if WIP_FWD_LOG - - char *forward; -#endif - - logformat *logformats; - - customlog *accesslogs; - -#if ICAP_CLIENT - customlog *icaplogs; -#endif - - int rotateNumber; - } Log; - char *adminEmail; - char *EmailFrom; - char *EmailProgram; - char *effectiveUser; - char *visible_appname_string; - char *effectiveGroup; - - struct { -#if USE_DNSSERVERS - char *dnsserver; -#endif - - wordlist *redirect; -#if USE_UNLINKD - - char *unlinkd; -#endif - - char *diskd; -#if USE_SSL - - char *ssl_password; -#endif - - } Program; -#if USE_DNSSERVERS - - HelperChildConfig dnsChildren; -#endif - - HelperChildConfig redirectChildren; - time_t authenticateGCInterval; - time_t authenticateTTL; - time_t authenticateIpTTL; - - struct { - char *surrogate_id; - } Accel; - char *appendDomain; - size_t appendDomainLen; - char *pidFilename; - char *netdbFilename; - char *mimeTablePathname; - char *etcHostsPath; - char *visibleHostname; - char *uniqueHostname; - wordlist *hostnameAliases; - char *errHtmlText; - - struct { - char *host; - char *file; - time_t period; - u_short port; - } Announce; - - struct { - - Ip::Address udp_incoming; - Ip::Address udp_outgoing; -#if SQUID_SNMP - Ip::Address snmp_incoming; - Ip::Address snmp_outgoing; -#endif - /* FIXME INET6 : this should really be a CIDR value */ - Ip::Address client_netmask; - } Addrs; - size_t tcpRcvBufsz; - size_t udpMaxHitObjsz; - wordlist *hierarchy_stoplist; - wordlist *mcast_group_list; - wordlist *dns_nameservers; - peer *peers; - int npeers; - - struct { - int size; - int low; - int high; - } ipcache; - - struct { - int size; - } fqdncache; - int minDirectHops; - int minDirectRtt; - cachemgr_passwd *passwd_list; - - struct { - int objectsPerBucket; - int64_t avgObjectSize; - int64_t maxObjectSize; - int64_t minObjectSize; - size_t maxInMemObjSize; - } Store; - - struct { - int high; - int low; - time_t period; - } Netdb; - - struct { - int log_udp; - int res_defnames; - int anonymizer; - int client_db; - int query_icmp; - int icp_hit_stale; - int buffered_logs; - int common_log; - int log_mime_hdrs; - int log_fqdn; - int announce; - int mem_pools; - int test_reachability; - int half_closed_clients; - int refresh_all_ims; -#if HTTP_VIOLATIONS - - int reload_into_ims; - int ignore_expect_100; -#endif - - int offline; - int redir_rewrites_host; - int prefer_direct; - int nonhierarchical_direct; - int strip_query_terms; - int redirector_bypass; - int ignore_unknown_nameservers; - int client_pconns; - int server_pconns; - int error_pconns; -#if USE_CACHE_DIGESTS - - int digest_generation; -#endif - - int log_ip_on_direct; - int ie_refresh; - int vary_ignore_expire; - int pipeline_prefetch; - int surrogate_is_remote; - int request_entities; - int detect_broken_server_pconns; - int balance_on_multiple_ip; - int relaxed_header_parser; - int check_hostnames; - int allow_underscore; - int via; - int emailErrData; - int httpd_suppress_version_string; - int global_internal_static; - int dns_require_A; - -#if FOLLOW_X_FORWARDED_FOR - int acl_uses_indirect_client; - int delay_pool_uses_indirect_client; - int log_uses_indirect_client; -#endif /* FOLLOW_X_FORWARDED_FOR */ - - int WIN32_IpAddrChangeMonitor; - int memory_cache_first; - int memory_cache_disk; - } onoff; - - int forward_max_tries; - - class ACL *aclList; - - struct { - acl_access *http; - acl_access *adapted_http; - acl_access *icp; - acl_access *miss; - acl_access *NeverDirect; - acl_access *AlwaysDirect; - acl_access *ASlists; - acl_access *noCache; - acl_access *log; -#if SQUID_SNMP - - acl_access *snmp; -#endif -#if HTTP_VIOLATIONS - acl_access *brokenPosts; -#endif - acl_access *redirector; - acl_access *reply; - acl_address *outgoing_address; - acl_tos *outgoing_tos; - acl_tos *clientside_tos; -#if USE_HTCP - - acl_access *htcp; - acl_access *htcp_clr; -#endif - -#if USE_SSL - acl_access *ssl_bump; -#endif -#if FOLLOW_X_FORWARDED_FOR - acl_access *followXFF; -#endif /* FOLLOW_X_FORWARDED_FOR */ - -#if ICAP_CLIENT - acl_access* icap; -#endif - } accessList; - acl_deny_info_list *denyInfoList; - authConfig authConfiguration; - - struct { - size_t list_width; - int list_wrap; - char *anon_user; - int passive; - int epsv_all; - int epsv; - int sanitycheck; - int telnet; - } Ftp; - refresh_t *Refresh; - - struct _cacheSwap { - RefCount *swapDirs; - int n_allocated; - int n_configured; - } cacheSwap; - /* - * I'm sick of having to keep doing this .. - */ -#define INDEXSD(i) (Config.cacheSwap.swapDirs[(i)].getRaw()) - - struct { - char *directory; - int use_short_names; - } icons; - char *errorDirectory; -#if USE_ERR_LOCALES - char *errorDefaultLanguage; - int errorLogMissingLanguages; -#endif - char *errorStylesheet; - - struct { - int maxtries; - int onerror; - } retry; - - struct { - size_t limit; - } MemPools; -#if DELAY_POOLS - - DelayConfig Delay; -#endif - - struct { - int icp_average; - int dns_average; - int http_average; - int icp_min_poll; - int dns_min_poll; - int http_min_poll; - } comm_incoming; - int max_open_disk_fds; - int uri_whitespace; - acl_size_t *rangeOffsetLimit; -#if MULTICAST_MISS_STREAM - - struct { - - Ip::Address addr; - int ttl; - unsigned short port; - char *encode_key; - } mcast_miss; -#endif - - /* one access list per header type we know of */ - header_mangler request_header_access[HDR_ENUM_END]; - /* one access list per header type we know of */ - header_mangler reply_header_access[HDR_ENUM_END]; - char *coredump_dir; - char *chroot_dir; -#if USE_CACHE_DIGESTS - - struct { - int bits_per_entry; - time_t rebuild_period; - time_t rewrite_period; - size_t swapout_chunk_size; - int rebuild_chunk_percentage; - } digest; -#endif -#if USE_SSL - - struct { - int unclean_shutdown; - char *ssl_engine; - } SSL; -#endif - - wordlist *ext_methods; - - struct { - int high_rptm; - int high_pf; - size_t high_memory; - } warnings; - char *store_dir_select_algorithm; - int sleep_after_fork; /* microseconds */ - time_t minimum_expiry_time; /* seconds */ - external_acl *externalAclHelperList; - -#if USE_SSL - - struct { - char *cert; - char *key; - int version; - char *options; - char *cipher; - char *cafile; - char *capath; - char *crlfile; - char *flags; - acl_access *cert_error; - SSL_CTX *sslContext; - } ssl_client; -#endif - - char *accept_filter; - int umask; - -#if USE_LOADABLE_MODULES - wordlist *loadable_module_names; -#endif - - int client_ip_max_connections; -}; - -SQUIDCEXTERN SquidConfig Config; - -struct SquidConfig2 { - struct { - int enable_purge; - int mangle_request_headers; - } onoff; - uid_t effectiveUserID; - gid_t effectiveGroupID; -}; - -SQUIDCEXTERN SquidConfig2 Config2; - -struct _close_handler { - PF *handler; - void *data; - close_handler *next; -}; - -struct _dread_ctrl { - int fd; - off_t offset; - int req_len; - char *buf; - int end_of_file; - DRCB *handler; - void *client_data; -}; - -struct _dwrite_q { - off_t file_offset; - char *buf; - size_t len; - size_t buf_offset; - dwrite_q *next; - FREE *free_func; -}; - - -/* ETag support is rudimantal; - * this struct is likely to change - * Note: "str" points to memory in HttpHeaderEntry (for now) - * so ETags should be used as tmp variables only (for now) */ - -struct _ETag { - const char *str; /* quoted-string */ - int weak; /* true if it is a weak validator */ -}; - -struct _fde_disk { - DWCB *wrt_handle; - void *wrt_handle_data; - dwrite_q *write_q; - dwrite_q *write_q_tail; - off_t offset; -}; - -struct _fileMap { - int max_n_files; - int n_files_in_map; - int toggle; - int nwords; - unsigned long *file_map; -}; - -/* - * Note: HttpBody is used only for messages with a small content that is - * known a priory (e.g., error messages). - */ - -class MemBuf; - -struct _HttpBody { - /* private */ - MemBuf *mb; -}; - -#include "SquidString.h" -/* http header extention field */ - -class HttpHdrExtField -{ - String name; /* field-name from HTTP/1.1 (no column after name) */ - String value; /* field-value from HTTP/1.1 */ -}; - -/* http cache control header field */ - -class HttpHdrCc -{ - -public: - int mask; - int max_age; - int s_maxage; - int max_stale; - String other; -}; - -/* some fields can hold either time or etag specs (e.g. If-Range) */ - -struct _TimeOrTag { - ETag tag; /* entity tag */ - time_t time; - int valid; /* true if struct is usable */ -}; - -/* per field statistics */ - -class HttpHeaderFieldStat -{ - -public: - HttpHeaderFieldStat() : aliveCount(0), seenCount(0), parsCount(0), errCount(0), repCount(0) {} - - int aliveCount; /* created but not destroyed (count) */ - int seenCount; /* #fields we've seen */ - int parsCount; /* #parsing attempts */ - int errCount; /* #pasring errors */ - int repCount; /* #repetitons */ -}; - -/* compiled version of HttpHeaderFieldAttrs plus stats */ - -class HttpHeaderFieldInfo -{ - -public: - HttpHeaderFieldInfo() : id (HDR_ACCEPT), type (ftInvalid) {} - - http_hdr_type id; - String name; - field_type type; - HttpHeaderFieldStat stat; -}; - -struct _http_state_flags { - unsigned int proxying:1; - unsigned int keepalive:1; - unsigned int only_if_cached:1; - unsigned int headers_parsed:1; - unsigned int front_end_https:2; - unsigned int originpeer:1; - unsigned int keepalive_broken:1; - unsigned int abuse_detected:1; - unsigned int request_sent:1; - unsigned int do_next_read:1; - unsigned int consume_body_data:1; - unsigned int chunked:1; -}; - -struct _ipcache_addrs { - Ip::Address *in_addrs; - unsigned char *bad_mask; - unsigned char count; - unsigned char cur; - unsigned char badcount; -}; - -struct _domain_ping { - char *domain; - int do_ping; /* boolean */ - domain_ping *next; -}; - -struct _domain_type { - char *domain; - peer_t type; - domain_type *next; -}; - -#if USE_CACHE_DIGESTS - -/* statistics for cache digests and other hit "predictors" */ - -struct _cd_guess_stats { - /* public, read-only */ - int true_hits; - int false_hits; - int true_misses; - int false_misses; - int close_hits; /* tmp, remove it later */ -}; - -#endif - -class PeerDigest; - -struct peer { - u_int index; - char *name; - char *host; - peer_t type; - - Ip::Address in_addr; - - struct { - int pings_sent; - int pings_acked; - int fetches; - int rtt; - int ignored_replies; - int n_keepalives_sent; - int n_keepalives_recv; - time_t probe_start; - time_t last_query; - time_t last_reply; - time_t last_connect_failure; - time_t last_connect_probe; - int logged_state; /* so we can print dead/revived msgs */ - int conn_open; /* current opened connections */ - } stats; - - struct { - int version; - int counts[ICP_END+1]; - u_short port; - } icp; - -#if USE_HTCP - struct { - double version; - int counts[2]; - u_short port; - } htcp; -#endif - - u_short http_port; - domain_ping *peer_domain; - domain_type *typelist; - acl_access *access; - - struct { - unsigned int proxy_only:1; - unsigned int no_query:1; - unsigned int background_ping:1; - unsigned int no_digest:1; - unsigned int default_parent:1; - unsigned int roundrobin:1; - unsigned int weighted_roundrobin:1; - unsigned int mcast_responder:1; - unsigned int closest_only:1; -#if USE_HTCP - unsigned int htcp:1; - unsigned int htcp_oldsquid:1; - unsigned int htcp_no_clr:1; - unsigned int htcp_no_purge_clr:1; - unsigned int htcp_only_clr:1; - unsigned int htcp_forward_clr:1; -#endif - unsigned int no_netdb_exchange:1; -#if DELAY_POOLS - unsigned int no_delay:1; -#endif - unsigned int allow_miss:1; - unsigned int carp:1; - unsigned int userhash:1; - unsigned int sourcehash:1; - unsigned int originserver:1; - unsigned int no_tproxy:1; -#if PEER_MULTICAST_SIBLINGS - unsigned int mcast_siblings:1; -#endif - } options; - - int weight; - int basetime; - - struct { - double avg_n_members; - int n_times_counted; - int n_replies_expected; - int ttl; - int id; - - struct { - unsigned int count_event_pending:1; - unsigned int counting:1; - } flags; - } mcast; -#if USE_CACHE_DIGESTS - - PeerDigest *digest; - char *digest_url; -#endif - - int tcp_up; /* 0 if a connect() fails */ - - Ip::Address addresses[10]; - int n_addresses; - int rr_count; - peer *next; - int test_fd; - - struct { - unsigned int hash; - double load_multiplier; - double load_factor; /* normalized weight value */ - } carp; - - struct { - unsigned int hash; - double load_multiplier; - double load_factor; /* normalized weight value */ - } userhash; - - struct { - unsigned int hash; - double load_multiplier; - double load_factor; /* normalized weight value */ - } sourcehash; - - char *login; /* Proxy authorization */ - time_t connect_timeout; - int connect_fail_limit; - int max_conn; - char *domain; /* Forced domain */ -#if USE_SSL - - int use_ssl; - char *sslcert; - char *sslkey; - int sslversion; - char *ssloptions; - char *sslcipher; - char *sslcafile; - char *sslcapath; - char *sslcrlfile; - char *sslflags; - char *ssldomain; - SSL_CTX *sslContext; - SSL_SESSION *sslSession; -#endif - - int front_end_https; - int connection_auth; -}; - -struct _net_db_name { - hash_link hash; /* must be first */ - net_db_name *next; - netdbEntry *net_db_entry; -}; - -struct _net_db_peer { - const char *peername; - double hops; - double rtt; - time_t expires; -}; - -struct _netdbEntry { - hash_link hash; /* must be first */ - char network[MAX_IPSTRLEN]; - int pings_sent; - int pings_recv; - double hops; - double rtt; - time_t next_ping_time; - time_t last_use_time; - int link_count; - net_db_name *hosts; - net_db_peer *peers; - int n_peers_alloc; - int n_peers; -}; - - -struct _iostats { - - struct { - int reads; - int reads_deferred; - int read_hist[16]; - int writes; - int write_hist[16]; - } - - Http, Ftp, Gopher; -}; - - -struct request_flags { - request_flags(): range(0),nocache(0),ims(0),auth(0),cachable(0),hierarchical(0),loopdetect(0),proxy_keepalive(0),proxying(0),refresh(0),redirected(0),need_validation(0),accelerated(0),ignore_cc(0),intercepted(0),spoof_client_ip(0),internal(0),internalclient(0),must_keepalive(0),destinationIPLookedUp_(0) { -#if HTTP_VIOLATIONS - nocache_hack = 0; -#endif -#if FOLLOW_X_FORWARDED_FOR - done_follow_x_forwarded_for = 0; -#endif /* FOLLOW_X_FORWARDED_FOR */ - } - - unsigned int range:1; - unsigned int nocache:1; - unsigned int ims:1; - unsigned int auth:1; - unsigned int cachable:1; - unsigned int hierarchical:1; - unsigned int loopdetect:1; - unsigned int proxy_keepalive:1; -unsigned int proxying: - 1; /* this should be killed, also in httpstateflags */ - unsigned int refresh:1; - unsigned int redirected:1; - unsigned int need_validation:1; -#if HTTP_VIOLATIONS - unsigned int nocache_hack:1; /* for changing/ignoring no-cache requests */ -#endif - unsigned int accelerated:1; - unsigned int ignore_cc:1; - unsigned int intercepted:1; /**< transparently intercepted request */ - unsigned int spoof_client_ip:1; /**< spoof client ip if possible */ - unsigned int internal:1; - unsigned int internalclient:1; - unsigned int must_keepalive:1; - unsigned int connection_auth:1; /** Request wants connection oriented auth */ - unsigned int connection_auth_disabled:1; /** Connection oriented auth can not be supported */ - unsigned int connection_proxy_auth:1; /** Request wants connection oriented auth */ - unsigned int pinned:1; /* Request sent on a pinned connection */ - unsigned int auth_sent:1; /* Authentication forwarded */ - unsigned int no_direct:1; /* Deny direct forwarding unless overriden by always_direct. Used in accelerator mode */ - - // When adding new flags, please update cloneAdaptationImmune() as needed. - - bool resetTCP() const; - void setResetTCP(); - void clearResetTCP(); - void destinationIPLookupCompleted(); - bool destinationIPLookedUp() const; - - // returns a partial copy of the flags that includes only those flags - // that are safe for a related (e.g., ICAP-adapted) request to inherit - request_flags cloneAdaptationImmune() const; - -#if FOLLOW_X_FORWARDED_FOR - unsigned int done_follow_x_forwarded_for; -#endif /* FOLLOW_X_FORWARDED_FOR */ -private: - - unsigned int reset_tcp:1; - unsigned int destinationIPLookedUp_:1; -}; - -struct _link_list { - void *ptr; - - struct _link_list *next; -}; - -struct _cachemgr_passwd { - char *passwd; - wordlist *actions; - cachemgr_passwd *next; -}; - -struct _refresh_t { - const char *pattern; - regex_t compiled_pattern; - time_t min; - double pct; - time_t max; - refresh_t *next; - - struct { - unsigned int icase:1; - unsigned int refresh_ims:1; -#if HTTP_VIOLATIONS - unsigned int override_expire:1; - unsigned int override_lastmod:1; - unsigned int reload_into_ims:1; - unsigned int ignore_reload:1; - unsigned int ignore_no_cache:1; - unsigned int ignore_no_store:1; - unsigned int ignore_must_revalidate:1; - unsigned int ignore_private:1; - unsigned int ignore_auth:1; -#endif - } flags; -}; - -/* - * "very generic" histogram; - * see important comments on hbase_f restrictions in StatHist.c - */ - -struct _StatHist { - int *bins; - int capacity; - double min; - double max; - double scale; - hbase_f *val_in; /* e.g., log() for log-based histogram */ - hbase_f *val_out; /* e.g., exp() for log based histogram */ -}; - -/* - * if you add a field to StatCounters, - * you MUST sync statCountersInitSpecial, statCountersClean, and statCountersCopy - */ - -struct _StatCounters { - - struct { - int clients; - int requests; - int hits; - int mem_hits; - int disk_hits; - int errors; - kb_t kbytes_in; - kb_t kbytes_out; - kb_t hit_kbytes_out; - StatHist miss_svc_time; - StatHist nm_svc_time; - StatHist nh_svc_time; - StatHist hit_svc_time; - StatHist all_svc_time; - } client_http; - - struct { - - struct { - int requests; - int errors; - kb_t kbytes_in; - kb_t kbytes_out; - } all , http, ftp, other; - } server; - - struct { - int pkts_sent; - int queries_sent; - int replies_sent; - int pkts_recv; - int queries_recv; - int replies_recv; - int hits_sent; - int hits_recv; - int replies_queued; - int replies_dropped; - kb_t kbytes_sent; - kb_t q_kbytes_sent; - kb_t r_kbytes_sent; - kb_t kbytes_recv; - kb_t q_kbytes_recv; - kb_t r_kbytes_recv; - StatHist query_svc_time; - StatHist reply_svc_time; - int query_timeouts; - int times_used; - } icp; - - struct { - int pkts_sent; - int pkts_recv; - } htcp; - - struct { - int requests; - } unlink; - - struct { - StatHist svc_time; - } dns; - - struct { - int times_used; - kb_t kbytes_sent; - kb_t kbytes_recv; - kb_t memory; - int msgs_sent; - int msgs_recv; -#if USE_CACHE_DIGESTS - - cd_guess_stats guess; -#endif - - StatHist on_xition_count; - } cd; - - struct { - int times_used; - } netdb; - int page_faults; - unsigned long int select_loops; - int select_fds; - double select_time; - double cputime; - - struct timeval timestamp; - StatHist comm_icp_incoming; - StatHist comm_dns_incoming; - StatHist comm_http_incoming; - StatHist select_fds_hist; - - struct { - struct { - int opens; - int closes; - int reads; - int writes; - int seeks; - int unlinks; - } disk; - - struct { - int accepts; - int sockets; - int connects; - int binds; - int closes; - int reads; - int writes; - int recvfroms; - int sendtos; - } sock; - int selects; - } syscalls; - int aborted_requests; - - struct { - int files_cleaned; - int outs; - int ins; - } swap; -}; - -/* per header statistics */ - -struct _HttpHeaderStat { - const char *label; - HttpHeaderMask *owner_mask; - - StatHist hdrUCountDistr; - StatHist fieldTypeDistr; - StatHist ccTypeDistr; - StatHist scTypeDistr; - - int parsedCount; - int ccParsedCount; - int scParsedCount; - int destroyedCount; - int busyDestroyedCount; -}; - - -struct _CacheDigest { - /* public, read-only */ - char *mask; /* bit mask */ - int mask_size; /* mask size in bytes */ - int capacity; /* expected maximum for .count, not a hard limit */ - int bits_per_entry; /* number of bits allocated for each entry from capacity */ - int count; /* number of digested entries */ - int del_count; /* number of deletions performed so far */ -}; - - -struct _store_rebuild_data { - int objcount; /* # objects successfully reloaded */ - int expcount; /* # objects expired */ - int scancount; /* # entries scanned or read from state file */ - int clashcount; /* # swapfile clashes avoided */ - int dupcount; /* # duplicates purged */ - int cancelcount; /* # SWAP_LOG_DEL objects purged */ - int invalid; /* # bad lines */ - int badflags; /* # bad e->flags */ - int bad_log_op; - int zero_object_sz; -}; - -class logformat_token; - -struct _logformat { - char *name; - logformat_token *format; - logformat *next; -}; - -class Logfile; - -struct _customlog { - char *filename; - ACLList *aclList; - logformat *logFormat; - Logfile *logfile; - customlog *next; - customlog_type type; -}; - -#endif /* SQUID_STRUCTS_H */ +/* + * SQUID Web Proxy Cache http://www.squid-cache.org/ + * ---------------------------------------------------------- + * + * Squid is the result of efforts by numerous individuals from + * the Internet community; see the CONTRIBUTORS file for full + * details. Many organizations have provided support for Squid's + * development; see the SPONSORS file for full details. Squid is + * Copyrighted (C) 2001 by the Regents of the University of + * California; see the COPYRIGHT file for full details. Squid + * incorporates software developed and/or copyrighted by other + * sources; see the CREDITS file for full details. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + */ +#ifndef SQUID_STRUCTS_H +#define SQUID_STRUCTS_H + +#include "config.h" +#include "RefCount.h" +#include "cbdata.h" +#include "dlink.h" +#include "err_type.h" + +/* needed for the global config */ +#include "HttpHeader.h" + +/* for ICP_END */ +#include "icp_opcode.h" + +#define PEER_MULTICAST_SIBLINGS 1 + +struct acl_name_list { + char name[ACL_NAME_SZ]; + acl_name_list *next; +}; + +struct acl_deny_info_list { + err_type err_page_id; + char *err_page_name; + acl_name_list *acl_list; + acl_deny_info_list *next; +}; + + +class acl_access; + +struct _header_mangler { + acl_access *access_list; + char *replacement; +}; + +class ACLChecklist; + +#if SQUID_SNMP + +struct _snmp_request_t { + u_char *buf; + u_char *outbuf; + int len; + int sock; + long reqid; + int outlen; + + Ip::Address from; + + struct snmp_pdu *PDU; + ACLChecklist *acl_checklist; + u_char *community; + + struct snmp_session session; +}; + +#endif + +class ACLList; + +struct acl_address { + acl_address *next; + ACLList *aclList; + + Ip::Address addr; +}; + +struct acl_tos { + acl_tos *next; + ACLList *aclList; + int tos; +}; + +struct acl_size_t { + acl_size_t *next; + ACLList *aclList; + int64_t size; +}; + +struct ushortlist { + u_short i; + ushortlist *next; +}; + +struct relist { + char *pattern; + regex_t regex; + relist *next; +}; + +#if DELAY_POOLS +#include "DelayConfig.h" +#endif + +#if USE_ICMP +#include "icmp/IcmpConfig.h" +#endif + +#include "HelperChildConfig.h" + +/* forward decl for SquidConfig, see RemovalPolicy.h */ + +class RemovalPolicySettings; +class external_acl; +class Store; + +struct SquidConfig { + + struct { + /* These should be for the Store::Root instance. + * this needs pluggable parsing to be done smoothly. + */ + int highWaterMark; + int lowWaterMark; + } Swap; + size_t memMaxSize; + + struct { + int64_t min; + int pct; + int64_t max; + } quickAbort; + int64_t readAheadGap; + RemovalPolicySettings *replPolicy; + RemovalPolicySettings *memPolicy; +#if HTTP_VIOLATIONS + time_t negativeTtl; +#endif + time_t negativeDnsTtl; + time_t positiveDnsTtl; + time_t shutdownLifetime; + time_t backgroundPingRate; + + struct { + time_t read; + time_t write; + time_t lifetime; + time_t connect; + time_t forward; + time_t peer_connect; + time_t request; + time_t persistent_request; + time_t pconn; + time_t siteSelect; + time_t deadPeer; + int icp_query; /* msec */ + int icp_query_max; /* msec */ + int icp_query_min; /* msec */ + int mcast_icp_query; /* msec */ + +#if !USE_DNSSERVERS + + time_t idns_retransmit; + time_t idns_query; +#endif + + } Timeout; + size_t maxRequestHeaderSize; + int64_t maxRequestBodySize; + int64_t maxChunkedRequestBodySize; + size_t maxReplyHeaderSize; + acl_size_t *ReplyBodySize; + + struct { + u_short icp; +#if USE_HTCP + + u_short htcp; +#endif +#if SQUID_SNMP + + u_short snmp; +#endif + } Port; + + struct { + http_port_list *http; +#if USE_SSL + + https_port_list *https; +#endif + + } Sockaddr; +#if SQUID_SNMP + + struct { + char *configFile; + char *agentInfo; + } Snmp; +#endif +#if USE_WCCP + + struct { + Ip::Address router; + Ip::Address address; + int version; + } Wccp; +#endif +#if USE_WCCPv2 + + struct { + Ip::Address_list *router; + Ip::Address address; + int forwarding_method; + int return_method; + int assignment_method; + int weight; + int rebuildwait; + void *info; + } Wccp2; +#endif + +#if USE_ICMP + IcmpConfig pinger; +#endif + + char *as_whois_server; + + struct { + char *store; + char *swap; +#if USE_USERAGENT_LOG + + char *useragent; +#endif +#if USE_REFERER_LOG + + char *referer; +#endif +#if WIP_FWD_LOG + + char *forward; +#endif + + logformat *logformats; + + customlog *accesslogs; + +#if ICAP_CLIENT + customlog *icaplogs; +#endif + + int rotateNumber; + } Log; + char *adminEmail; + char *EmailFrom; + char *EmailProgram; + char *effectiveUser; + char *visible_appname_string; + char *effectiveGroup; + + struct { +#if USE_DNSSERVERS + char *dnsserver; +#endif + + wordlist *redirect; +#if USE_UNLINKD + + char *unlinkd; +#endif + + char *diskd; +#if USE_SSL + + char *ssl_password; +#endif + + } Program; +#if USE_DNSSERVERS + + HelperChildConfig dnsChildren; +#endif + + HelperChildConfig redirectChildren; + time_t authenticateGCInterval; + time_t authenticateTTL; + time_t authenticateIpTTL; + + struct { + char *surrogate_id; + } Accel; + char *appendDomain; + size_t appendDomainLen; + char *pidFilename; + char *netdbFilename; + char *mimeTablePathname; + char *etcHostsPath; + char *visibleHostname; + char *uniqueHostname; + wordlist *hostnameAliases; + char *errHtmlText; + + struct { + char *host; + char *file; + time_t period; + u_short port; + } Announce; + + struct { + + Ip::Address udp_incoming; + Ip::Address udp_outgoing; +#if SQUID_SNMP + Ip::Address snmp_incoming; + Ip::Address snmp_outgoing; +#endif + /* FIXME INET6 : this should really be a CIDR value */ + Ip::Address client_netmask; + } Addrs; + size_t tcpRcvBufsz; + size_t udpMaxHitObjsz; + wordlist *hierarchy_stoplist; + wordlist *mcast_group_list; + wordlist *dns_nameservers; + peer *peers; + int npeers; + + struct { + int size; + int low; + int high; + } ipcache; + + struct { + int size; + } fqdncache; + int minDirectHops; + int minDirectRtt; + cachemgr_passwd *passwd_list; + + struct { + int objectsPerBucket; + int64_t avgObjectSize; + int64_t maxObjectSize; + int64_t minObjectSize; + size_t maxInMemObjSize; + } Store; + + struct { + int high; + int low; + time_t period; + } Netdb; + + struct { + int log_udp; + int res_defnames; + int anonymizer; + int client_db; + int query_icmp; + int icp_hit_stale; + int buffered_logs; + int common_log; + int log_mime_hdrs; + int log_fqdn; + int announce; + int mem_pools; + int test_reachability; + int half_closed_clients; + int refresh_all_ims; +#if HTTP_VIOLATIONS + + int reload_into_ims; + int ignore_expect_100; +#endif + + int offline; + int redir_rewrites_host; + int prefer_direct; + int nonhierarchical_direct; + int strip_query_terms; + int redirector_bypass; + int ignore_unknown_nameservers; + int client_pconns; + int server_pconns; + int error_pconns; +#if USE_CACHE_DIGESTS + + int digest_generation; +#endif + + int log_ip_on_direct; + int ie_refresh; + int vary_ignore_expire; + int pipeline_prefetch; + int surrogate_is_remote; + int request_entities; + int detect_broken_server_pconns; + int balance_on_multiple_ip; + int relaxed_header_parser; + int check_hostnames; + int allow_underscore; + int via; + int emailErrData; + int httpd_suppress_version_string; + int global_internal_static; + int dns_require_A; + +#if FOLLOW_X_FORWARDED_FOR + int acl_uses_indirect_client; + int delay_pool_uses_indirect_client; + int log_uses_indirect_client; +#endif /* FOLLOW_X_FORWARDED_FOR */ + + int WIN32_IpAddrChangeMonitor; + int memory_cache_first; + int memory_cache_disk; + int access_sibling_for_stale_resource; + } onoff; + + int forward_max_tries; + + class ACL *aclList; + + struct { + acl_access *http; + acl_access *adapted_http; + acl_access *icp; + acl_access *miss; + acl_access *NeverDirect; + acl_access *AlwaysDirect; + acl_access *ASlists; + acl_access *noCache; + acl_access *log; +#if SQUID_SNMP + + acl_access *snmp; +#endif +#if HTTP_VIOLATIONS + acl_access *brokenPosts; +#endif + acl_access *redirector; + acl_access *reply; + acl_address *outgoing_address; + acl_tos *outgoing_tos; + acl_tos *clientside_tos; +#if USE_HTCP + + acl_access *htcp; + acl_access *htcp_clr; +#endif + +#if USE_SSL + acl_access *ssl_bump; +#endif +#if FOLLOW_X_FORWARDED_FOR + acl_access *followXFF; +#endif /* FOLLOW_X_FORWARDED_FOR */ + +#if ICAP_CLIENT + acl_access* icap; +#endif + } accessList; + acl_deny_info_list *denyInfoList; + authConfig authConfiguration; + + struct { + size_t list_width; + int list_wrap; + char *anon_user; + int passive; + int epsv_all; + int epsv; + int sanitycheck; + int telnet; + } Ftp; + refresh_t *Refresh; + + struct _cacheSwap { + RefCount *swapDirs; + int n_allocated; + int n_configured; + } cacheSwap; + /* + * I'm sick of having to keep doing this .. + */ +#define INDEXSD(i) (Config.cacheSwap.swapDirs[(i)].getRaw()) + + struct { + char *directory; + int use_short_names; + } icons; + char *errorDirectory; +#if USE_ERR_LOCALES + char *errorDefaultLanguage; + int errorLogMissingLanguages; +#endif + char *errorStylesheet; + + struct { + int maxtries; + int onerror; + } retry; + + struct { + size_t limit; + } MemPools; +#if DELAY_POOLS + + DelayConfig Delay; +#endif + + struct { + int icp_average; + int dns_average; + int http_average; + int icp_min_poll; + int dns_min_poll; + int http_min_poll; + } comm_incoming; + int max_open_disk_fds; + int uri_whitespace; + acl_size_t *rangeOffsetLimit; +#if MULTICAST_MISS_STREAM + + struct { + + Ip::Address addr; + int ttl; + unsigned short port; + char *encode_key; + } mcast_miss; +#endif + + /* one access list per header type we know of */ + header_mangler request_header_access[HDR_ENUM_END]; + /* one access list per header type we know of */ + header_mangler reply_header_access[HDR_ENUM_END]; + char *coredump_dir; + char *chroot_dir; +#if USE_CACHE_DIGESTS + + struct { + int bits_per_entry; + time_t rebuild_period; + time_t rewrite_period; + size_t swapout_chunk_size; + int rebuild_chunk_percentage; + } digest; +#endif +#if USE_SSL + + struct { + int unclean_shutdown; + char *ssl_engine; + } SSL; +#endif + + wordlist *ext_methods; + + struct { + int high_rptm; + int high_pf; + size_t high_memory; + } warnings; + char *store_dir_select_algorithm; + int sleep_after_fork; /* microseconds */ + time_t minimum_expiry_time; /* seconds */ + external_acl *externalAclHelperList; + +#if USE_SSL + + struct { + char *cert; + char *key; + int version; + char *options; + char *cipher; + char *cafile; + char *capath; + char *crlfile; + char *flags; + acl_access *cert_error; + SSL_CTX *sslContext; + } ssl_client; +#endif + + char *accept_filter; + int umask; + +#if USE_LOADABLE_MODULES + wordlist *loadable_module_names; +#endif + + int client_ip_max_connections; +}; + +SQUIDCEXTERN SquidConfig Config; + +struct SquidConfig2 { + struct { + int enable_purge; + int mangle_request_headers; + } onoff; + uid_t effectiveUserID; + gid_t effectiveGroupID; +}; + +SQUIDCEXTERN SquidConfig2 Config2; + +struct _close_handler { + PF *handler; + void *data; + close_handler *next; +}; + +struct _dread_ctrl { + int fd; + off_t offset; + int req_len; + char *buf; + int end_of_file; + DRCB *handler; + void *client_data; +}; + +struct _dwrite_q { + off_t file_offset; + char *buf; + size_t len; + size_t buf_offset; + dwrite_q *next; + FREE *free_func; +}; + + +/* ETag support is rudimantal; + * this struct is likely to change + * Note: "str" points to memory in HttpHeaderEntry (for now) + * so ETags should be used as tmp variables only (for now) */ + +struct _ETag { + const char *str; /* quoted-string */ + int weak; /* true if it is a weak validator */ +}; + +struct _fde_disk { + DWCB *wrt_handle; + void *wrt_handle_data; + dwrite_q *write_q; + dwrite_q *write_q_tail; + off_t offset; +}; + +struct _fileMap { + int max_n_files; + int n_files_in_map; + int toggle; + int nwords; + unsigned long *file_map; +}; + +/* + * Note: HttpBody is used only for messages with a small content that is + * known a priory (e.g., error messages). + */ + +class MemBuf; + +struct _HttpBody { + /* private */ + MemBuf *mb; +}; + +#include "SquidString.h" +/* http header extention field */ + +class HttpHdrExtField +{ + String name; /* field-name from HTTP/1.1 (no column after name) */ + String value; /* field-value from HTTP/1.1 */ +}; + +/* http cache control header field */ + +class HttpHdrCc +{ + +public: + int mask; + int max_age; + int s_maxage; + int max_stale; + String other; +}; + +/* some fields can hold either time or etag specs (e.g. If-Range) */ + +struct _TimeOrTag { + ETag tag; /* entity tag */ + time_t time; + int valid; /* true if struct is usable */ +}; + +/* per field statistics */ + +class HttpHeaderFieldStat +{ + +public: + HttpHeaderFieldStat() : aliveCount(0), seenCount(0), parsCount(0), errCount(0), repCount(0) {} + + int aliveCount; /* created but not destroyed (count) */ + int seenCount; /* #fields we've seen */ + int parsCount; /* #parsing attempts */ + int errCount; /* #pasring errors */ + int repCount; /* #repetitons */ +}; + +/* compiled version of HttpHeaderFieldAttrs plus stats */ + +class HttpHeaderFieldInfo +{ + +public: + HttpHeaderFieldInfo() : id (HDR_ACCEPT), type (ftInvalid) {} + + http_hdr_type id; + String name; + field_type type; + HttpHeaderFieldStat stat; +}; + +struct _http_state_flags { + unsigned int proxying:1; + unsigned int keepalive:1; + unsigned int only_if_cached:1; + unsigned int headers_parsed:1; + unsigned int front_end_https:2; + unsigned int originpeer:1; + unsigned int keepalive_broken:1; + unsigned int abuse_detected:1; + unsigned int request_sent:1; + unsigned int do_next_read:1; + unsigned int consume_body_data:1; + unsigned int chunked:1; +}; + +struct _ipcache_addrs { + Ip::Address *in_addrs; + unsigned char *bad_mask; + unsigned char count; + unsigned char cur; + unsigned char badcount; +}; + +struct _domain_ping { + char *domain; + int do_ping; /* boolean */ + domain_ping *next; +}; + +struct _domain_type { + char *domain; + peer_t type; + domain_type *next; +}; + +#if USE_CACHE_DIGESTS + +/* statistics for cache digests and other hit "predictors" */ + +struct _cd_guess_stats { + /* public, read-only */ + int true_hits; + int false_hits; + int true_misses; + int false_misses; + int close_hits; /* tmp, remove it later */ +}; + +#endif + +class PeerDigest; + +struct peer { + u_int index; + char *name; + char *host; + peer_t type; + + Ip::Address in_addr; + + struct { + int pings_sent; + int pings_acked; + int fetches; + int rtt; + int ignored_replies; + int n_keepalives_sent; + int n_keepalives_recv; + time_t probe_start; + time_t last_query; + time_t last_reply; + time_t last_connect_failure; + time_t last_connect_probe; + int logged_state; /* so we can print dead/revived msgs */ + int conn_open; /* current opened connections */ + } stats; + + struct { + int version; + int counts[ICP_END+1]; + u_short port; + } icp; + +#if USE_HTCP + struct { + double version; + int counts[2]; + u_short port; + } htcp; +#endif + + u_short http_port; + domain_ping *peer_domain; + domain_type *typelist; + acl_access *access; + + struct { + unsigned int proxy_only:1; + unsigned int no_query:1; + unsigned int background_ping:1; + unsigned int no_digest:1; + unsigned int default_parent:1; + unsigned int roundrobin:1; + unsigned int weighted_roundrobin:1; + unsigned int mcast_responder:1; + unsigned int closest_only:1; +#if USE_HTCP + unsigned int htcp:1; + unsigned int htcp_oldsquid:1; + unsigned int htcp_no_clr:1; + unsigned int htcp_no_purge_clr:1; + unsigned int htcp_only_clr:1; + unsigned int htcp_forward_clr:1; +#endif + unsigned int no_netdb_exchange:1; +#if DELAY_POOLS + unsigned int no_delay:1; +#endif + unsigned int allow_miss:1; + unsigned int carp:1; + unsigned int userhash:1; + unsigned int sourcehash:1; + unsigned int originserver:1; + unsigned int no_tproxy:1; +#if PEER_MULTICAST_SIBLINGS + unsigned int mcast_siblings:1; +#endif + } options; + + int weight; + int basetime; + + struct { + double avg_n_members; + int n_times_counted; + int n_replies_expected; + int ttl; + int id; + + struct { + unsigned int count_event_pending:1; + unsigned int counting:1; + } flags; + } mcast; +#if USE_CACHE_DIGESTS + + PeerDigest *digest; + char *digest_url; +#endif + + int tcp_up; /* 0 if a connect() fails */ + + Ip::Address addresses[10]; + int n_addresses; + int rr_count; + peer *next; + int test_fd; + + struct { + unsigned int hash; + double load_multiplier; + double load_factor; /* normalized weight value */ + } carp; + + struct { + unsigned int hash; + double load_multiplier; + double load_factor; /* normalized weight value */ + } userhash; + + struct { + unsigned int hash; + double load_multiplier; + double load_factor; /* normalized weight value */ + } sourcehash; + + char *login; /* Proxy authorization */ + time_t connect_timeout; + int connect_fail_limit; + int max_conn; + char *domain; /* Forced domain */ +#if USE_SSL + + int use_ssl; + char *sslcert; + char *sslkey; + int sslversion; + char *ssloptions; + char *sslcipher; + char *sslcafile; + char *sslcapath; + char *sslcrlfile; + char *sslflags; + char *ssldomain; + SSL_CTX *sslContext; + SSL_SESSION *sslSession; +#endif + + int front_end_https; + int connection_auth; +}; + +struct _net_db_name { + hash_link hash; /* must be first */ + net_db_name *next; + netdbEntry *net_db_entry; +}; + +struct _net_db_peer { + const char *peername; + double hops; + double rtt; + time_t expires; +}; + +struct _netdbEntry { + hash_link hash; /* must be first */ + char network[MAX_IPSTRLEN]; + int pings_sent; + int pings_recv; + double hops; + double rtt; + time_t next_ping_time; + time_t last_use_time; + int link_count; + net_db_name *hosts; + net_db_peer *peers; + int n_peers_alloc; + int n_peers; +}; + + +struct _iostats { + + struct { + int reads; + int reads_deferred; + int read_hist[16]; + int writes; + int write_hist[16]; + } + + Http, Ftp, Gopher; +}; + + +struct request_flags { + request_flags(): range(0),nocache(0),ims(0),auth(0),cachable(0),hierarchical(0),loopdetect(0),proxy_keepalive(0),proxying(0),refresh(0),redirected(0),need_validation(0),accelerated(0),ignore_cc(0),intercepted(0),spoof_client_ip(0),internal(0),internalclient(0),must_keepalive(0),destinationIPLookedUp_(0) { +#if HTTP_VIOLATIONS + nocache_hack = 0; +#endif +#if FOLLOW_X_FORWARDED_FOR + done_follow_x_forwarded_for = 0; +#endif /* FOLLOW_X_FORWARDED_FOR */ + } + + unsigned int range:1; + unsigned int nocache:1; + unsigned int ims:1; + unsigned int auth:1; + unsigned int cachable:1; + unsigned int hierarchical:1; + unsigned int loopdetect:1; + unsigned int proxy_keepalive:1; +unsigned int proxying: + 1; /* this should be killed, also in httpstateflags */ + unsigned int refresh:1; + unsigned int redirected:1; + unsigned int need_validation:1; +#if HTTP_VIOLATIONS + unsigned int nocache_hack:1; /* for changing/ignoring no-cache requests */ +#endif + unsigned int accelerated:1; + unsigned int ignore_cc:1; + unsigned int intercepted:1; /**< transparently intercepted request */ + unsigned int spoof_client_ip:1; /**< spoof client ip if possible */ + unsigned int internal:1; + unsigned int internalclient:1; + unsigned int must_keepalive:1; + unsigned int connection_auth:1; /** Request wants connection oriented auth */ + unsigned int connection_auth_disabled:1; /** Connection oriented auth can not be supported */ + unsigned int connection_proxy_auth:1; /** Request wants connection oriented auth */ + unsigned int pinned:1; /* Request sent on a pinned connection */ + unsigned int auth_sent:1; /* Authentication forwarded */ + unsigned int no_direct:1; /* Deny direct forwarding unless overriden by always_direct. Used in accelerator mode */ + + // When adding new flags, please update cloneAdaptationImmune() as needed. + + bool resetTCP() const; + void setResetTCP(); + void clearResetTCP(); + void destinationIPLookupCompleted(); + bool destinationIPLookedUp() const; + + // returns a partial copy of the flags that includes only those flags + // that are safe for a related (e.g., ICAP-adapted) request to inherit + request_flags cloneAdaptationImmune() const; + +#if FOLLOW_X_FORWARDED_FOR + unsigned int done_follow_x_forwarded_for; +#endif /* FOLLOW_X_FORWARDED_FOR */ +private: + + unsigned int reset_tcp:1; + unsigned int destinationIPLookedUp_:1; +}; + +struct _link_list { + void *ptr; + + struct _link_list *next; +}; + +struct _cachemgr_passwd { + char *passwd; + wordlist *actions; + cachemgr_passwd *next; +}; + +struct _refresh_t { + const char *pattern; + regex_t compiled_pattern; + time_t min; + double pct; + time_t max; + refresh_t *next; + + struct { + unsigned int icase:1; + unsigned int refresh_ims:1; +#if HTTP_VIOLATIONS + unsigned int override_expire:1; + unsigned int override_lastmod:1; + unsigned int reload_into_ims:1; + unsigned int ignore_reload:1; + unsigned int ignore_no_cache:1; + unsigned int ignore_no_store:1; + unsigned int ignore_must_revalidate:1; + unsigned int ignore_private:1; + unsigned int ignore_auth:1; +#endif + } flags; +}; + +/* + * "very generic" histogram; + * see important comments on hbase_f restrictions in StatHist.c + */ + +struct _StatHist { + int *bins; + int capacity; + double min; + double max; + double scale; + hbase_f *val_in; /* e.g., log() for log-based histogram */ + hbase_f *val_out; /* e.g., exp() for log based histogram */ +}; + +/* + * if you add a field to StatCounters, + * you MUST sync statCountersInitSpecial, statCountersClean, and statCountersCopy + */ + +struct _StatCounters { + + struct { + int clients; + int requests; + int hits; + int mem_hits; + int disk_hits; + int errors; + kb_t kbytes_in; + kb_t kbytes_out; + kb_t hit_kbytes_out; + StatHist miss_svc_time; + StatHist nm_svc_time; + StatHist nh_svc_time; + StatHist hit_svc_time; + StatHist all_svc_time; + } client_http; + + struct { + + struct { + int requests; + int errors; + kb_t kbytes_in; + kb_t kbytes_out; + } all , http, ftp, other; + } server; + + struct { + int pkts_sent; + int queries_sent; + int replies_sent; + int pkts_recv; + int queries_recv; + int replies_recv; + int hits_sent; + int hits_recv; + int replies_queued; + int replies_dropped; + kb_t kbytes_sent; + kb_t q_kbytes_sent; + kb_t r_kbytes_sent; + kb_t kbytes_recv; + kb_t q_kbytes_recv; + kb_t r_kbytes_recv; + StatHist query_svc_time; + StatHist reply_svc_time; + int query_timeouts; + int times_used; + } icp; + + struct { + int pkts_sent; + int pkts_recv; + } htcp; + + struct { + int requests; + } unlink; + + struct { + StatHist svc_time; + } dns; + + struct { + int times_used; + kb_t kbytes_sent; + kb_t kbytes_recv; + kb_t memory; + int msgs_sent; + int msgs_recv; +#if USE_CACHE_DIGESTS + + cd_guess_stats guess; +#endif + + StatHist on_xition_count; + } cd; + + struct { + int times_used; + } netdb; + int page_faults; + unsigned long int select_loops; + int select_fds; + double select_time; + double cputime; + + struct timeval timestamp; + StatHist comm_icp_incoming; + StatHist comm_dns_incoming; + StatHist comm_http_incoming; + StatHist select_fds_hist; + + struct { + struct { + int opens; + int closes; + int reads; + int writes; + int seeks; + int unlinks; + } disk; + + struct { + int accepts; + int sockets; + int connects; + int binds; + int closes; + int reads; + int writes; + int recvfroms; + int sendtos; + } sock; + int selects; + } syscalls; + int aborted_requests; + + struct { + int files_cleaned; + int outs; + int ins; + } swap; +}; + +/* per header statistics */ + +struct _HttpHeaderStat { + const char *label; + HttpHeaderMask *owner_mask; + + StatHist hdrUCountDistr; + StatHist fieldTypeDistr; + StatHist ccTypeDistr; + StatHist scTypeDistr; + + int parsedCount; + int ccParsedCount; + int scParsedCount; + int destroyedCount; + int busyDestroyedCount; +}; + + +struct _CacheDigest { + /* public, read-only */ + char *mask; /* bit mask */ + int mask_size; /* mask size in bytes */ + int capacity; /* expected maximum for .count, not a hard limit */ + int bits_per_entry; /* number of bits allocated for each entry from capacity */ + int count; /* number of digested entries */ + int del_count; /* number of deletions performed so far */ +}; + + +struct _store_rebuild_data { + int objcount; /* # objects successfully reloaded */ + int expcount; /* # objects expired */ + int scancount; /* # entries scanned or read from state file */ + int clashcount; /* # swapfile clashes avoided */ + int dupcount; /* # duplicates purged */ + int cancelcount; /* # SWAP_LOG_DEL objects purged */ + int invalid; /* # bad lines */ + int badflags; /* # bad e->flags */ + int bad_log_op; + int zero_object_sz; +}; + +class logformat_token; + +struct _logformat { + char *name; + logformat_token *format; + logformat *next; +}; + +class Logfile; + +struct _customlog { + char *filename; + ACLList *aclList; + logformat *logFormat; + Logfile *logfile; + customlog *next; + customlog_type type; +}; + +#endif /* SQUID_STRUCTS_H */ # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWdsZS58AsQT/gH/+f1V///// //////////9hkn71IvkDGGs+zdkGgpVQ3gfQarQe7s33bXXgegFAFu77mhy+d456gKXk2m2280kf OziB01QD33XTrp23x3D7e7OgvZRawcgOmsrYC9tAKPtgoBeY3M9Oh4B9btu25aVEEm7HJWau4HQO TQA52G7uNAACtADRqhW2UNUGzZXYZOjQRAKHQDQEWmOotFXItvvYegk9AKAADpuzpo5Ou2AHZAAA AyCBFK0wAE7udB0wnNpO1Hn3qBYLe+7i3cnV3p4FAAG9XnHroAAuy9ynUfRIvsarQ0GhvvDzws2e 93exV670PDpVRrKC2UbYtud2pbc7WD0AKkUbtnz7uT1u7Iq26OT0yq726Dl4TjsBrp17zN7uetlz mvF7tXXXWjuGqOx7x7Oe7A1vZpnz259b7e87dt7cV7as0sqtDXbeonneCnet9b6Prd7kVZs31vsx evffJ95Od1qNsW2dnbHF3yZ5a15Rbatd3XAaK6OC7x46DY8hd7jlpiZaM6dw1mqDNHHaR3OLtm6V uzll2AZh0U6kogqwCLqdU3uaiXq93KDOM28Ad9XbmgBUh1kCUgVSpB0TsFLu3DbuLo6b182huJvP gAegHPQL7VRIvHu5TupD16gZx6AHkWu8OcHdXgPoB7ngSLUas+pDR2UA46ys6cc27nEAG2O7tAun YC6udkAAEItrYF3RVRu47uMzWp3RHXTNMijYXbnD58UAd9es+LjuDLUgEK2LLldbdtzdU1KdInh2 9qvG4HTdOBTALUCruOe62ULrb3CVgW4dzuYa21lADooqqHbUG3dXod6M2FvWd1oczTdutZV2ABqr rXd3NOuudukVXYZlqhs1qbKofdi5eHXbbdMJEFRbsdXfXmZnrbdHe20HjXFu306LvdWKFbEnKd3c DQACnQuJMclNSsuN2rrGV111QoNDADbOnfABzX0OkI2DrnrBXpqqlT2wUT3veJ581j7suuyq2XOO 7XbnMkFYDc2wGqdw2yuZn3vkSqJdaWu5kCqFAFCqlRCQ9PH3SF03h3rHZ70bsAtbmM3324+gBt91 O2RVZ48UcdJUkD0ZttXN1dVJI02gNu1XMOzAHQvQ9uuqnVttmuyBe4aaEAgEAmIAIARo0yCYRppM mmmpgU8CRoAyJ6BMNMgIQkITQKeSnhJmpo2iZRo2g1GRpo0AAAAAAAEgkQiaEaEEym00aIaTNGjR lT9T1CDxRoPQgPSB6T0h6gD1ACEooiCMSZTT0FT8GhU/Enomk80ptNTaT1B6g0eppsoAD0nqNNNA aGEKSETQE00ATQJpiNJmRkRNFPZGmyp5qNNT9VPGmkYo8UD0yT1ACTURBAgBACaanoAjTRGT1MTT RqYKnjI00TT1T9U/UTTZqmmg0eU/AD6vydhoD+QM+JINsVcmiqKChiWAgpAKKCokIkSCRiIoIT7L IkiYIhRiVCIKVaBYlKQAIIVGgpoSCAoIIFoAColmFYkKiVWZAkZUYlimAAN/q/KWbbKFcSv/WOIR UShBDYFRPOIofrGBRcCkAleo5ffH2/fvqR5y8pHmDkUlP65dEfDv7IeNBPz4NP8kOmIv7P4OfVgM weQNMRUFSH+jCowW3cbA/n/nP9p+GcxJsh/Xdbb/9bwyYT/8XURI/0Gl2KRY+O1ECzDyxRQwFVJD MwRFUUENNVBFGnMBF/XGlaaJkLlmIiZr/Jk4czTSUTVBFRRRFFNKBSASzFTEkRSVF/lnL/Z/nxyS vEYiCGoiaiqgogmhVYSYAgpSgp9c4+vAAHICkopSkhIQKD+j4f0cfC4yHKuPRjkoQjQdUr1achhv /f/76/0eb/P/t/7/0f9v9fw/u/v+b/r8/cP/2jxflkfyEDQijGIMZY86POXfjVYwJSWKkjH+p8zf ou5C2RZv7x6rCmBhjFRViinxWioiBGxKH3VD7ro6u/s+Jie3nU1SCKIKCoyYP/593LOfZWb5MLRG IibNEj27M+wCXRSNNU/luxyb/+ij3HEN7Kh6P/0546c3RFQ6PzXXY0hIiioKoFEyqf9sMofNmJ5o yenpx19l2np9Ps4NQ+V3wcq9OGQAQTEiUETVC/kLKYumLCqa7SiaWDUZrUI/s+XlT/T839966aP7 Haz111WUzy/+CjqH7D7zTyTAAMZ/++BZ/6Jjv6e25hBQD4JyEC/TQT1Zom3X8LOjD1obsUaPh24+ V+BO5thn/LBM+THJRKOyXtgD4/AyUH6PJkxsJEJd0bKUI0khFFiyQRhFgfGq5+yjkfZuWE9Pv2vz MkOV047+/4/d5efbpuU/ne4tOPnuQMIpCdjChUhWiT9WzTFQVTREClBIUxdwYkClIYSCEKUoGiK/ TnSQQJRX7CQ1QNFLEhRQ0hTQwwFFCURNERJDBFB6bUBSUUUJTSpVFFK0lPTwx1LQREQFE1D5rSUU U0FMVDTSRB9dpIomlCplaQIipgpKiWiipiFkpgiaiKJlgqigoKKKKAiKUopehYqEiWmg/jyY9NmJ KCgChT0kxBQxAFMSTUJQtPrlMomkaEoaSP+fe/+r/N46R9zLoJxOSn5oF0PINCFUslE0RSATSSAU TEBBRVSrFQFJR0kcqKKQppCqaAIgmYv1SOkCiZb1+zNEzQwRQTUJQNEQBQsTQRLNSJSEyJVPED8c h69gxiClKGkKWpqiUiChiSiJpSkaBv6kEVR/4B6/n+kvX93+C/37cwRFF1CivbOW0C8BB1v+P7NA ogBoIAhgfvPwxA/m1+jcNgtJm6AgaMIAHGT/qySH1nh7vfPu6e/4Pq/i+n9Y+I+hOv5/Dfs1Bx7w IXeN/v2Ps2Kni20MoIImpDQHd+EInhIKGjFrEf7yHfLjpSlR8qooDWwI2w8piQLW2AUFw5AbA4BG 8bx3h0DmqUta+AHIgNevz5hfQUh/0syejjargTtR3HhJbwSUkirUoRlD8J0j39PJuW9cCEu5qBQ8 7xLjIXkcJ59PQlOqUW0/UIh5quOqTF5huJuuwaovWfszxeNvdQTvr6lE9BfppnpfI2UsuqkGMu7u yWGYkbbIQ+frdBCbDtHON8ph9/re4bzQsJ/qInH58P4RCkVNzcHiotupOKrPPhbGF0qSF9aFUU3a xPthac69nwtZCBf2t8mGZrs9Ymbp+bzLAJ4amW/fAXCkRcL3dl6Y6S2XT3cZ7WrwVQrLffQnfcPu /1WBJAfV2lk7MBFMqT62TZj/1yE/PdQ8cNwZB4SXup+mGJ39WqPfovCQC+V7DGfxT/rLqOyWiIi0 K7RfDFwlSzDBKeYDXTR8/opKuDHgqMePVWb77OB7+3whhgKSCwFgG+fKte3Hu49nDGXTqGMsP/u/ 70w2375yzzrMa+V2bwUak1DYiJ6+rrzcbAAVd/XQ/cDRv/V0sXFlEU2YsPseThKfa5f68qASmw5l AGIr94GOyOnbEaQULmKDgw64FIXjksLZ9vyv44/0GCywZhQGiP7qkS3ZTSsP8gMC0ikToqNF3uEI ORSN6dnHyblgNdX1FnEhCwbLGWuCKCE5nPEa2AnpK/GTDjfVhgK6xsIP74ZN1aq5Wistq/NsUb7S wUH98N7SAhs1v0YraSZF5THCGWdIABSiXFEeXFkp7b24nYURotJ8rxUQWWZewbsa91cR5l0B9T2F U1nWoisj/5a9YzGa+vV0554ga0Ap+bFEJsocKtIZ5OnoDB5jWjToztqJSNpxhgEUqJKF0q2+TC7h OCbuDz12sLTDA0dkPEETmfLY+/5XYIJINUbXd7sMftWOUECDTTi1FrM6xaMQXtMciq5hsSxF8bjz NbWjOl2+P1dfvR4rwfHGMshhIY6FmWYpWLAY6dNczA5KUgr5+MKZzIj7DKVsU0SJoKIGv7IFrTap gkXBCSKU9+hyNgiQCGsbCQS9/odo4cGfNgvkbaWP6rM4xZlCwVFFEZFloxu2lHJAftBWsg/tBla1 irVUcSbCxhQlxq2XamUksnU4q7RBZlMccVBUutEQViLYg0G1j4fPj3+O336wMjEYbDHxqy0hRKaU KEqIopSrKY6qpAOBEgbb9uySiht2PvR1GI46nuRbyFUgEi5olgHKIpBIBPP4ePyfIgas6q1cE6Mp 8NfyYrGuiwtz3XSvSYj10a+LMhA5N4NukNbQjJf4HrHtUOOmV42agGxj9BRnrRVa4h000BIJCNLe udt/TWDjbZqNjhWYkdhtOVFY9TOwwd4C4QopxeUdxpPXADqxn/Yqv1ndR67sjkctcBHQXASakA/h q3Ogjqrumf4RglR+X6Rgzy51K+IJVZqPI+8Tk3NuPeeO330p9WXf8JGN22O2jnWZmCaYKmmd3RLG 2eAXaCcRaNc4weFLC5RjRna2lowlK4Zwr1YCTD0UtSzQpkwiQzxZZri2fNTdI0eO+gra5W3yV6bd sNevDMPhZqzpBr+D2D0+unDKPCS4cZaKcGFbJW+/+PFdnlqCYjkOtbBephR18M4a9ffrhSitz2Td FEFENW7hxjX8Zw8YdRrboa0FbctGukxFIc6uave4VU0osMuojqHKVKCS3S8MRfDGBfhRna0Id3NI EScXGbJIZmoLWBadMadkclwvjzqL6LM1I+Ammrtwi68J3Vrzm4fU3Nt9QHM3UjWMCs9cW2Yo7weC hld44zB+yhgv79O5joEJx+uYnBO3nnek9L2+HvbWCHbdOopbCu+g5GYbNN95BqI6lvHRRhLQSYEe AOechc2POIqNHlnAdQoInMXEwBM2Zhv6tzc8tVsKl4jPUqQ39DSAdRHJeo5181e4gT2SkeB3LtbA wAafCqvdKxm+M7o9DcZVw9ULuVFiMOFuWy7MON1z5HGUL54MEGaOq4crZWBSMXxMMO/43kmwOi9r rvxqDqxyvx3bNedWvDRei0lQMXnSgVRSQC2aTu8G8Vtzlc/ZdvoFxaV90wxIvJrZsIvGaOIYkZL1 TR8nYRVQRdwydIfLOfCvVaYmA4jeenX7tY2bNdBm/Ooj1bIw9AfCmRss+cklRb5yJBF5NlGl52NF SzDGTO4VdQg/IVZr3CnAgWuGhh3pbLCiJ0vSIP2Pfz79Vzl5BhzPDV/jjXX4U3+uv/TtNfprRpR6 VbeKJS+VFQRCIgYaiCPm+rcmikuGND8bSOhP7nndNOGreo1v3hWA+QDB5beCxA9ZRcFJ1FBB1FVV B6tqj9EvVB9fGPwPOa08p/pnWsHbvwfV8Dt0nhL89qw/MwOCp/JpR9zDihDmwmh1UdzZ8aJozuZB YdXXXc2bUc8/XYGEn9LCkDdO9AnJlJ6O6BTsMuj2NhOvzugcEVITszvDOSQikJ/uWOCT9LL+FQOL D7mQ6MDLOSDJ0fVyowKs/UhrfbZ1JodK3VkyIL14xeD6nkWVSV7UKsrZhwKowvQov5NTMwB9v+xn na/UhgSkE1o+pPzreLwi4TNYyYCrr//FhSKIsRQpC85KDVLBBFFTVB2PElLrRyAmDRm7G5qL+PDy qihEUC6SmpQKB+Ca/L5Wa34XDhpU3SUw20K9edoMPLZJX0Vc5/cdec0I7MxiPNunapK88jZTTMcb Y09PXRs1gVmxhbA5iUFd3z9PPtEEXht+/9IgPr82V4BIJzKAlApQjLKIv5dsNij2xnDYZhl5YPf2 +peULTQH5fk9vFtgd1t5/s+G3CP0xSpQqMUQrMJSBVIFJQdIpFyR0H+bvPK8u4KadrOYHZPhRQGH 1TJU1SkIzGtIKkKZPXVH3IU5k0s+H5Nr0T0pKjwjKefK7Q7WLOeaj396FcPSTXNkKNBRywwVuiCz z0UKKSxC3i24zRaiAWzyqm8XebBGNl0URPcjwlo5wwakSOFx5kigOBDwomJA1XZHSHnwGOwHYCjv Mc8ZaKN43DFRNsGJqqeFwg5ucPTuOSlBu4NDwjEnJ062w0tU1WjW5k5U0RozBNtESOjRRJN9U8g5 sLVHOcDmxiDRooohSFVSsRIGrLSSWGWDttcvNDlofF2Yn+WHQ15jXjzuW2TkHIo7fPKUKxB4lfTx iijXJDrRHIGm1Yu/8webn5r/6+OiHPX0c+WKU4onK+u8N01TBskgej9bMYcO/i9qtYo2EbbnFUsI 3CQMoi9nBYvfCIaT6mCbTYd9mskwswlNtYSoLVUqMiqKk46mDfMpDXi6lm27C0FwhhhbBQbqkiyh At5DcyO5k0xDS6TToMSRFA2k3tgqUo2OjYEc4kaGMyZQlxe/bnzcz43Q1AGKoIMQmViDhGECDlbb XI4FKaTbO9mDj7slMmw4ZTaA506aZmOUqCMWTdlJPr7Phm/7jz7+R6PqjaSIm5IM7kKqUqkikJYt RkpoeRoigsck/quX/n4Tw3exyObA5E8uJUXbU4oabq70o8UqXSU/9jNlc3a1yjC17jltMD3dlooD aA7/Hr4Tn3M/GLH2Bwn2mE1T1W9Ibp4CokAo4ABRiPEQFhcKgj8hMTfcJOPxIgUF4KR0+7a859tL zA71OS3Y/SzCWi8mfT93v/nu7PzMCmB8GU989aSTlv6D+jx8LK9K631Vn0lLQMfVUPx1XcAvuAXh jDdwmenpyGSAX3LFQFAoz9euH3Wn7Gagd3M1Vq2E/eesAgoCSQiHxX3ksizLA72AX19XVVWYVPAa lb1Yv03cxigWNylCgVYXvVWUlS+HpzdgUgofM237PaqIjEInw/LJSPx6VQcc9GEmQKP2+lmZup+r SIx+UO3X3BI9naFzo9S+X/3+26AioHszefUDAlCU0kW39mokAYlEQMAgFIc99dsN7aiPbrVPpxkJ FrUEUwltg8iKlBcKuIcLZYQoj32m0RF04ggaEoBsJw2Q0n4eeQ0XjeWM8qwM7cj/DxfbH+Gtz7aH mqQpU4zUr4ss02xj+WFW86kOke+KaFlr9boD3btTUYqtrqyAXjCDqYoiFI71mRCnztHOaD6iLyik DhnUiygJPbr+ziiIdqjiQCUJA/PWojX02rWIiRogeSfvT+lmvmqG/xo9G9faklfRRSc2BwZP38S+ GJl9rBTz35WG/dUnvfOz+xn8D2p2pDxSbIQ4sgeXZysUaSsJ6BgHRD0sK7fgn0O418voPoDgnpvW mK0JAjDYQ4mZKpZ0gr7oo3c4n6eBKyP+ENudMJwk4UPh1rXKP5cBLB8phTL1Usgnmunwubwulc/X VWXrLHZvlGCZFjvFV6YrY/0ysGpSkmL5Slq+Q/lWdVisqf773/TZmeJ27KiOsaaBY+6meK5a7XCC 2v/tuVeExKZFCO2Y9waENGAgDV2udcwqKQCOnA4vr3OAspXVsw89zxMoUGQsg7YeI0IBKAk3tBLx UVIPbkqTDN+wW/aEkJOO9zjk7uKb6q/7PuaHV8JFofsdw1oTi/EwEqnVScZm/00b7owYmxvET+A4 Y8QTE0VgyFCoxAOA4+SBtnGlCl0K0bF1HYwcgzBgsljNTUNfa7E5iAi+Y0+na8mMxPvqc2WDOndz 8q2MIwfd+4ntL4QA17JjZfIZlr53SWEdWqNtYEhlNQ3G7XbMvx4oxRRSCsYKckCqLpxscqNafojU IoAMrr3Vyo53Re/PbOPQwIZIV7ERAEAj+k5tlviB2gpyqN9sBbfg8Bs621jv6gwTwPAGJvl4MBU/ keziBgUTOOkQOuKyq1hojYxGMbHuvEmEVUow8CldkIbDwHWYtTAOoprvVI1tj1iZCD2wpF2LFNhY gFI7lBpe7HBoy+MGdVlPUrgPILPQNsm5RfmfR39bPhCzGi14G+LtW6qaoVONmPROoOoWipU3hQFJ JLbKFgL58ZCBqKJDjOBsR7derpdc1WRVv4q9uA/H0T/KRFQg+8kixAFA9PvRPDwviajoW+gg1U+Q L9PiwhDyu99rYNc6NO5A3SzTc7P2HzXxTnWxqPdLqHunY2+bWkgErfayZOnvPb1/Pc5sgTf9qLAV QihxSCm7YlsOCUMEDSP8ifvhWgEBXwL0+zXUfv7/byAiIYEqW1ZtkRDroe8zWX5+ruV4otd91wvH n5YgIiAV/+C0kqvvkVBXCFXzSg+Xz/q/N/i45MA/NhkHpi+n7fs3XdkpR5WKc8TCUJJSCEpEGSQA ggRWlCkUJkVaQKRAoUA/H5/V9F2/Jt8fq/hOH4vQeXd+n0ldM9cIFoEAh272N/UdhzsCQMlHaVKF Gnb2h/h6s9nD38t/znlv9rvu8otgSjVkB2xqV/N0DBEvPihkgtAEJBAMsxgz3+tYdQ9i/0uMzmDq Kck/n9GrJB+QICWHZXh4cLxk6w+AfxBmH6Uhsw0NfqoqyHkw9bAeCXc3w62Q4JWh2NsEeyLfByA4 gWjTHEkfmYbaTZhk3nDBj/Ctm9wmjQmmD5iv3otFY4D0uWfHiZr6rM4NXKWlTHz7UvaRjwc2b/VU dzrd2bY7WmB/N+/3PvEYJ1BFyEe53GP8B6dX06D5/onlOA5OOhP3ogfj5DzzzYTicdCsfkmnl4mc p9jDIfnnKsjL4ZneldXfejt0zIdcEiMgqKhg+Tu+oxprqSDr6LDKTqroflrEHTtxZ2ooY/OfLZh6 nrC6EVD2CGvZjFx6ZlYBZSw1Q1zUMc05azrv4eqd9im69dTWc/vPHB6TQD9vgARIEHCHl9rQwVTB miQ8qiggYGCwigC/C9g2GsR0sqklaiU2E788h3zjPNBTaRiGilYkGldYGejx2PRifa95MBpPMeE0 6YJ4PiwLLNOzczDwosTbh3+vez9oZBwJymgInMYD+//AXfET/tmNPHHTV1cvLlDOfZt80K9/hD/9 GOKd3Z4sBxVkqvOQz3BSNY6m7pkKFG+4VIbS8QRsk32DScitT+A/ORcrQQ7fnubf09P37Vui0lkC BEVvE8FlGxWplU4VixgIIAgyCXXXYpBAOZAp29GT9sKoUg4EyHIvgHk66AYMAUEo+vIN++AW8KpG wVRcqCFkAeys9Ue2KXoY/ei3QFsSayw1Drbo3/+0sskSP69UExXTjISKZcWEzMSEA0Zkf/DMq2Ad Z5mb2yjGnI2kKMxFOTiumi3j31zYcDO57rpJ0ETcZbWCPDAZoc+3+LVgd4AdDudnuaZr+bzSYNIA 9wWooIwQv3/dElf80NGC2yrySfczz77Pu2dhhc1CSjQDFYK9tWMfjPcB5hbQ3ESTvK/R3/DtxnhL I9cD0QcWWG+fdr+WgXbIS+pETABCAAlfH8GAA95J/TQKx2P6B4NfHAh0kj5XMMHUk9IzKv3Px/DO uZYpKYgigI/mUDj+cN2nxGtv3znbY+TCIXHczBfPeuVcLp9XIQGQ9IgGwW1VYkfjZmuhpOcpOuU4 FYRzgGIa5tErZhXS7516tSxvXpIRxrh6sn7fKAZD8dQuDuMH9BCuJSQPkyMkgdtmIWjE2j2abFD5 6rotfyX4/p/k3uQeYyB0ROxUGZNF2/FIsIRIFEWj/PxnGDZbzS7xDPrghaZjDasNhuNlQD8B7FcA D+owkqC4EWGFfu+cfj9FWKbPt6vSMtuQ8YJ+8y+30fZ/1v6Kgbte4YiMEBUKOkj9n+//fl7x9XpC ACeyhK/IL5/SU8zcjEgaekpbWsNPq8wGzd6947BO8P/f/SoZyYqg/IsUBKD4H5D8+zH7c/N5676k DQYfQ8OwEnMp8/L6fPw/h3LnvVPiRd1IPaigjii5fUeyfiAFKeFJXfID9Q+EkcbVkLb/V9GJy0O7 f1zQ27k/keajVVIs39oTa4alk+rhZxPl6/yy/pubiIwjIMZFkvt4qbXX8wPrszbwwX7qBRru0o49 ageMjLcjjvMs9+Koo570SFFREXWswLrqsi/sjESHPxIUhlQD+R50Guev2PAEQv6uHR/vxb/VxeJZ JljdDnT7KhZYSHGYUQKPyL+DQYC4XgmVLlfE15oQCTwpBkUAWPGsVoJpDXOQAiXH5dFBSiIcBEFR zaqhUjqjme6HfuKjqZf6NXDXjB9vEXbYe8hFO4EgIDcdimoq8M9XG3mQ6HWyUpW4y1or19WUUsJ4 SmB71TIEfTpB3EUCtuOJpy2bzeO6CiwkM7la9RtafkQhWNSYAv3/L86w/mkLrGeBDhA9/h94+VU2 V5+is5LID8L7kHR7Y9OpRec7hrncOP5LvKaeOnu33qCA3/yPq8/vXPy/CHiwEu2u+8eka3//dKMB 0f/4fRHKHYaa4MOvaF0uVgoa3JzFutmUIwX1NP4q3hritcE4YnB9XEIiC2Dm1n6vjfDXylEbXxiG 9oDxo31jdOE9WAAYPrdF+gI4a9hL8MOkZMT/UqZ/n+KfX1CpoQEpM+2ILBocf4O4PlyOTRYeDVPh aibV+y36Hn+/uRsMqA93u1Q9ipzr7RTLPMhUxqujAkVaGIljNtXjaopaKyFAdS8i4TOQAPldHnzE 0fR23qOvXQ7gUICS47bCZz5X1Jhvyb7NCOo+rFoi8+ZUNJDLH06efj+l6sFpJmP1J3+QAtAYb9eO uALKI9BDyU7RorxwIoTwxUcA/o9pQKSUGpN43LTBof92sfcm0fRtiwSfnGq/PbD+z8fzwEMtX55O NR74hRtR+eBBDiBbB/9nz6pCgs63j2fpoD+Hx+X/0OPT4fFM7cI02Dw56+zp+2n+EABLv28BegQH ql93d3v9NkYSRQqciNYek3xXRZhxsdfGIXanX3enSIihQkoQhTwgEI1gZZ/WP/pv092Y8PEMOo9C U13jo2fl9Xnjq4Be/zWzTuKeHFe+ypQWDBRoB8wi0SHydx1qtSOywgOee72zT2n958mLOvnyv8T1 9IBOKQ/ASmqr66okhwR1ALEgPVsnmldAh7ffy8POUBiXb1GIge/rAqg6+CWHV3LwtSgqFz67uNIy 3kcVMLNhHE0TL/X3Hdg29EDp8+z0JzrOhDc4+ITQQ2HhqRjX5r05DalhsrjHGG3Z1QmPRdlCe2eY zKFAQJdCqNoO1IEatonXUNo+ln1gZdAFyKAR2gfrI7yB3fHywpDdj6vPwju7dQloqbRr4DgQdnBQ jBDu5TEdUEZAJdavhxDP63EpauPvmfbq0x0w6p6yEvTAZjhMfzQDUNcJ77lX15Xz8Zd8f6JdOvZ5 PfCjugshub0s0txbX5mSDr68gtBOImzpqE7sdsDBaE9iyPTCHnctajmqoEibywr7hG7fOVhe2eg/ TSYToQDv5lQfZmNuCZXjwHXMba0EblHQN5QZrSorO7UvfJ+10Uoy7G1kMCRI8AqxfHGTmEJd0OnV FjMiMq2UuKLZb4dWl5Z3FczvCFqXjVilfTvxXfOLTy8/ZOUhabCeeV7neVG6WqtmEQsRpS7eJns9 qzKSMzEgbN0RcLo7jS6u0+309/DVNO2+1FB167lcvATbIMYLhtkGc97MbV8gXotZu8unioDHZgq3 LOW4bejYVH4Y7HAqbWYiJuf4NymjsaGSZFVaoGuo58y8ZoiCq610iVfUc5t666YQUEZkElCl5C/Z +v8PBW/AEqCOlfsBf5aLPFN/ltSSecQRhDvYbe0N6/Z4Yf0SPmU8FQTrZ7h2r4g8e1AJJyEg/Oyf vfWRT3qvVoluuHodOQ/n09rvyo3Lj2dWCN0x1zxh7fM/p/CGGwD3jrsu7Z6M0HR3JoG6vVmmuA6g OmijCOfbMY98vwpekKDwUhe3d9e6ud7dVAxBYjaCQNngAPofZLDfQ7AQgOQqjA0Q9KEKn24/Jvfo 6beMr7dalo6FV3f6vqG/Qad2q+sID6TVePjUdD+Lff9bRP+MFT0OoVfuovagGkfSbyMrsSe/Vu7S gmNadwEnA7OyAjvgTbTZs59nqTl8h9eKD6yEHpAyUADMkcX1OnOPBevGn9bZTIF+tJDpF8Rt8uQw 8CevNMpcTqPlMP2CXW0HEv9EtnnUKQKYoBfnw+227V16tQ7eyIy1dA7W8DNOzKES/ph36sM9ghfk ycqjqWIjlgu6nSB48bXDlyDZuoDeKCCYXaCAcde2Pp/ul3Jn052pljCcoeN29pAg9JTqn47NQ6kH YBJWr5dQw1Sw82Y1aTI1pHjMbzMfaKcw+ZI7yPN3p2MAII0d0Agh2Y9CdYBPBh9TOixZF15aPIny 6eHZwMzwrS67Q1mvTJ3o058cOXBjL8f8Ss6Ps6fVvLPm7tfvw858vhTfjWxaBzEUjsfM4C3v7zf5 AKub+sU0mTnJjWxV9zagIAoSDY/O1SG6OJFZXbbnvGK0aEHRLICJkOcAqpIprYBVgrC+lku21Z9C LC8ylzpNVehnew4jhiO7QRzR+F8su4tZNetXXDKMBqzl5eHfd4bu+vm39YEQ4A5J/k992g7Zj149 3h/snqPWos99BR3NMIpVfBhaQpJRFcI0UGdp5zlscCNBmqiI5W4Y4lJwm0ZnGwkU0dJ59/dN3N+k OIRUKhQkhVAU+iDdKXHv222heny4X4QWqgQm2vZBjuuGvW8MaLJiuJgPwaLvyMe1kTCEcpd5j3pv P6vJPiUhiCiAmGf5YyphhaqKEhBjDeLDo1xuTXlXoGA8T1ASsDtrBwiSHXkB4JeKC4bfMyeG12Hv 4B3lj2MksQNfcM9oPVZJS3wJHLaknomBUdrPJdn06HViHyvp5Lxz+X59uYMEURRCOU9CgT/D9mzI L5wMQCjHn3dNfnE0gedA4KMDSsd4/rZctpgzOe4HPWFwnld9c/PLG8gXbfQqUdF+/a3k0DCdFV+b s3RtAxrCEGS/xH9Mw+DXAdJQIPahAGB3kYqilhgm7y3KIrfD0cI10gI6nDs1FFYqIo60hHaAXool S6HE0P3ZeDqA86bP1RFlgMIrQWocO1cexrrBZItIgkzYhyM0paBdiA/BDO+rCkVYo1qpxCqb8cGx E/otdVjdDfPwh7JVLd956MCDS7tuaFvpCnAJFEBHKEvx0bRCQF5Y5NE7edl6G7aottekNv+s2cXA 5WglehsKnqA/EmP46qOTQUS7q+9TWxOhyDu8jv19+C5P2ls1yh36YUI2F3Q8PC2/TIfxcVb5g61E 05COi8gKXW+DqVqagiE6SAchAey6Ot7yP5cTikVneETSxwy1uepgRff0BOX5LjPpkXt22+JHbduy 2kI3OnHMZOUpegPFvR/RgucBX8PjODmJsSJEiNGUPVPy4wuqIAY6Dj1vlhtZMkONyiODdXHJ5sYk qIitFzoEO9wjEXhm/docEhBA7xR8jBBmZU+/gqqH1Ui/aef4001Gvw/Os+7t/OjkwDdSiuVwkFjB 7LohIjgqEgwdp/gRO6URJcqa2KanoL0Odfvw5PPnspCeaC1tMN5H/VO7KmD8earBUbVj6rRz+8J4 Nb28W9hUfFLpBAlIKuu6MGXWzpBDc0KBU1FiVMQUauXUz0ou9puHs1dsDWuBoZXoM5rHq0Orid+e Geqs8/CAeCRVVYApFVXp0z1YDLFjwqUw5tM9uOXdxpgIdjZsoqqiSz1DTMRjlhfB2zweZWdCDSKm emE2BbzljvTiJbQkR5jTwsv1Id73Y6MfJDlr2OAkWNYCbViKl6qKyWpmCRUuOeeeeMPztm5dGEHZ GqQPMVezJY8geR+gpS84gMim8sCxULtarqRgCRXjlvMu2R41u9hHf1T5bf6AtpM6HkRCP2B2vizu Lu8OrWX82QJRJiODvTUm0qWdRAV0e1VoDgBA2dg+7oz9U50Q+4cfa4p/ZwT5LHq8jIha0H6qBFvJ XcUcAobQUTMC4mE2HrcXuyuZFJaIs2hqP6wMwMNdRqBl2Ykd/Ln2PofdzjrWg0m88XdJiuvh7fu0 iJ37+xi/ftz/L5fCKTylr1uo114ryHv/1a3E6vdaHBR3MA3K68YYWyTzbm4XTrS+oZZOvYYnx2Ri IZD5gjjWcjmKzPU3dSMo3mYbHKvbu67Cn4H4aaEYjNRz37w18KCxG8Jp39UICEFGZ3wCLgKFFu1Y iO2pG8TQZbqznCC7przmwiIiYC9qjPPvyE8orPRjpN8Ll4kKeqbTU06B+T/vgTDBx++F01PkVzVX M8n7YTDXeZyoBFOt6efTTjockBdOhviUu2pfw6rsfuHpnh0Gl2OsKL4MZ/Nb0Pld3fk2wkG5Lit2 dCyRCkMYEDDyUbSg9J5cSqCvPok2cEHSQKEJxN5QRwUCjLEwwyYYWMQcZq89l/jdCbjKiZpQNdah txYQxmmL3SA2Zr8tCJhnfiV+JOBo8/jh1h4nktWJ+AySTkLpYZSSIO6IU3CUBAiREjiZ5dAVJZQT DrCovTFLYG++UCKpKM9UEiAyuSWgNX0XwylubUM643ZCMZ8TB5MGOcupvRqnfYUUieZmpDDw66ce xcbitzMwRWOPTqh+doG/1VcKLNYIGnVDughn9l8sfV6HemQPA4DjRKnh5pvsGNJBym6PrhXZMtkU WZFV2V2sHTHc0qUnG0d2PVK6Q0bOY3m0UUjBE883my3BYzx15+el1IV5O5bUDO184jARiqjjZUwo 06Q7YNGOvlWYL/lDamnP1H7bcm1Wmjb5rteVd82DpQuujCqjTFajqpEbwF0UMQRa6qV1BR4G2pRx 2ei7GODcLcMzKs0Qqq1hGybyGR5dNuYWxUY8JmK5lrweLFYbaHj9/9yc2aLuqTxtTgFKmI/kcWNh TIinMJe7k3rBkGpJNPb5Mli1d2KkN6czWqUyZeJ6nUmTdiQmQkS5JBDRbiHMQwgksHFrNZstc8F4 Z2/NWMao6Xaggo4o3vez0HVabCB/oCiaAhp8wzS8F6yIwSCszBqvj/GOyOIZfTSDB8fNnOFp24bA WpweNjNMYv+wXc4+V4wIqA997CDirwE9W+COX+2LDV9pILNkp2MLC+oX+9dQXrgOOC3UGeOW1/DX PEJt0ynnci1+y793ri1wu2lXX9qXB/L6I7Q4F+xU1QC35KB6EhupshzhLN2u0mrjEldltoXnL2z2 pMFdC04wnsv+hKN8SlSkjUiZ4Fz2qt5EDIgCxa80K7taezmCkiDdnEyh73zIL2/TsupDYMGu2au9 I7HTcXI8R9c29hAGRssm5HdYXUEr1GiKsWWHaCu3A677lmYH6hI3XBq7Zte6xNb1j2qBe103TpP5 5rHrUiF5ZHLGfW7GUGrd2tHoVb4tkzsCVPRuf4XT2Ht7KDCE2Nxkk3Mv1dYnpSSX/Or/Ei3m0CMK m88Z4zu+mLT7QwkQXUVVsaKdShar7zUidPNK9vOCTwcTnc2uA5Kw+aIViNW8ado2wiu0XfiUqR8x sqTbXDgFbzZoHxIiASfhIORZ/WKUb+z531Q0X3cDJFL7n0FKegqiYyBSdvkQKIFkD8n11/ruM2Rx cG53+oS57oBhvF62B7YdjX8ZMgoCHZ7ChG/EbmR0Kk5N6o+eG6eKJhOEOUBljoGyGrx6sYPhrpvi ur5ASChWmJBS/kkaw6igYP5DgrEPtws6VqxqMc7LfsJsxBbgUaMFqJpIKNooGqKBbyEBTu+7k9UH /5YewYQxfwByhNQdcZNEkgk62DrjjHtiFU8+pwzN0QIf6Y878bPfgqQ20JNneONwOKR7h1tOtaSZ kYopg6oOD4JegAOqXWNYino76u9/UQFKC7cwEQ4oA2wqDHpyYS6BFc9SwD5swwFy45qLykZdasIg xIwjvxwt2/TBjMwZegb4ek5S7+hnEKKGJLxC/weFXhvQh5FXxVk8jrUDn3bI9RDWWtEjUdDAOGpB Xsk2YcSNvXskKgYrl5eoaQF8hYgi8dipsGU9Jd+uXJcrAiNagPKKOsM5D5f6QjSSd3TcG2GFlCsR dHujWqsrdQ9OVS60sSmSjZhURuFKGi+HeMrt4gOvBXWtCFBuyFa4LSU93ZCzAZCzip231ZDP0znf LkV8ee96u6Wk9HCjtc3wejD3ST5JWuutUN34GzYsRFyh2vXCVf3X+ekUEOs/uCYjvvqIIPtlgu3n lOYQ9F28tI5ozySM9rwiqC2peuCwqqVl6nFoBA56j6WltV1BCgoQcH9eVEwVaySQ4VIVaB15G0+I 9Db5xmp1G4wHikq3FTtjWuK+xP7a2Qo7purCniLP3ONd/YmWMBpwEtOcEs+GDO2+8d43/S2ynfqt gTr7kvk2Oktom9va+3W8de2t689PHv2mzaRRFQeFBzGHmZDiMMob0iBvcTdGDNd5TsyfD4UOXgkP uQ6Yc4MVOK/k7CAktQ8xNw70I93fg1TmA7wo8+fqhkH2j9n2xeIpwi+JE2n/AzetTv+lAYEOUGF6 xXRLfFspimiSGteJgXOuKxmVQx5SEGZg0PIM1Rt0eKZAA7sVmirduW+Q3mmuvRYNNyNKSQxGxQTA p9BXOEmUzgODcVZywKUbh8Wg8LBTj0XnOe3Xxu2FnQyHnVL0sl3WFHIPKKTIlqytve+XhDKZjYRq kKCJRnULRQuz556hMgaogliLek6HAT7b8EmUiQgchL64QV/ngqgsKKVXLU3zvZIEHfSkoK8MKkBt lmToKZm4aikSLaxuX+QF6x0bZfCts1mxTc8Yi4jZgiiN0ogkEpKnq1Qy0DKHxfBpAGQ85dP1c8mu qyXeqAnu9ODTlqPMjNlBNwsvY6i6mtla9tSh7pVIbVkwHrw3xcEERxkjBHpYjqxwHQJPKZRkXoXg fAWsIy3GP2FN4BvMRAjXsC47Vkb3vefesjRQKw61EJqqqSCFGXq6Rj7d0XYh0+0EAd0QsvTj0bLY I6nNS3PSDkcyAzRiHhuhR4GUi2PRWcRT5aa3Ni1ibbJ7xvFFheCkBIZJDsl2Q34PXalu1E704AoA jDXqsdjujZ1yA7VW9VahAsODVeYUpI6ihMA30CHsMPtuqG5QQXwriQ4bQI4zecWyTXOMjEdKu68D oJLI7y3X52ELqVd1PPwv7WSkqmZT5cF4obDLVqaENirls6xd4vjZ7PsKO4u3vYvshc4gDCqv8YRw 3ELOQq2gxRxNVIVR0QEH+y4VxyuEWFSRqMHf6fcNaUvC1lJRgzl6xAesBJ8F1xNTb5vA0H16AjBN rTZl+6wOZPPve69zC89UgL2iL3G+V5YRSFygu/OwpV07QrNeLq4EPhMAQUi3fgoORmsod393vytD QnZQ/mhhX4cQ+eGvi8iFPQxauRxi1K50fIrf0899TBYjWnYzzgo9DriLmor+Yrj2pdVPVpeTdJEH AIap6/CgFiGhqFtzIBM6r0uI2F8QXJjIWRhEAS1OrnIjpD1oJR2MJg290pvW9W7QnahTHygilOs2 wKus7EFt7nLESCwPFVDJPpUUzHNsNFFCtz6QhbaLtKjcnPAb4ldBiwkNWsPdegShRCCAyFElReA5 anHFLXXCZGrvDYVUPJSAdXf8+fpHzz4zGuqiRxvXvITaQiRTCC9z62qFCkUcN03wUMvV+pkuMJ2o CUw7taiXbcoZIzVw8yDIhcvK585rNaqsxM3TaDgxi3iZs5OnUIM0k5lxU8SGN3hVqEEp6NP3NCDk olSiKcFgRURGqGMAiQGMlPEUvjZcP1dz5duy1s4hH2yNCrk+VjrfwKefyVIf0Tm6KeumR5vMERcM oOCvguN7/Q6zQESDRmA9o+ZGUjzyCV79UU6jXyUe9lTQWFXwVYdTzQSyUMITuLU+MMv2B7n6lAh9 oNIPE7TAoJgKFNf2tKXVDJ6vu69T+ehGKVb/1QTGRiRX86mBQqw/7Pl91CTua/CBWApt9F2UpfqA ml7JW/ud9U4JpMwVPbd6GEU5R20WBxt1gE1+k2Xz5+c/hHW2vNBOuseG+9Dbir8loJJYOV9y4sFm srBaETiDIs58zCTORFKWXIj2/OIz2/vgImogNKXWx2DkagprTmUAIlUGHMKuxXycWP0yYUkSMeS2 3UFnkvlQVCRip4686RF5d6i22+oBSVwYJR9J3kXCE7U11pBfn9xwH3Yzw6ajAVsAcRe6sqksh6AT LW71U5ntvfBaQJCBsPrJQiwRAfuhTcuF69VvM1LUEqqJQBmLPGU9+M3vO7zCSZm68L8/uGmefprB 4X8F4bC4rdUswb+jK/ezWw969c3hiaDTjn+KdHU89e3yoKObsmDA9TYgX8qP2ZyhvQGTQHkqzIxa VQHJDc16+sK03AjDNFFoL2TrUTkHkOWOg1zXMShW4YLJxIb2eQVQSZ2aLlV1RG58sbqq4WhnTDPS Ht9KwU9fcrMJNn+ch3AEkTCJC48VpHH5jKdJFmEQKAktEwE7pDhliXpailGnyXhGIjmDJk6KXgwv Y9EQ4GJR3q9LpbK4sRsEYW0F2thK6w3mVguMZWWLVF/SBiev3A0SIiqAgoLG7kAwrGF0sLjKW/c5 Pc2wxIv9AIidMNS+jGMUDnb3+08cicP3dzyiQdPjse1D21KMa4Phm08mubXkOiGjB1d58MQBJzP7 AMACKgchurx8p01EJYoChQDZ6SI7esn7r73W/n+7bhNm+aer/RkKalafTaUxI3XmTNuW7h0Grk8I yDWGsc63hNYHxKbT5gJATFP39OL4iy3aTCAOxFseQ/4fdGIeU6kOsm7YWnQSEpJWUm+xmevWldI+ QssZM28LZ1GRHc3Qw83H91MtscjfhbBwr3MJD1VhKHfMNBSDSwUdMojBQHBbweXMD/PwKC6wxIQn AJZZsAWO3G0R6TvydgaIVRSKJg7iN0mCBcU7p18y4hvtTnIwteVpD9RyJIp/zMe0WaIQYxz1q2/T 6Ybe/iV3+EL+7o9r7G/BSGoY6ZFGQfnry1+e7Eyv2inH5arfgS3Zf5sg3K6PhMMLzFhwZqLImLjE yLwiof69yoH1+fBp6qtqPnruiia6SMOEP5df1AHomyi3MfHj8ZQkFSOP+IEhT9ieToarJqRsXJ4p q5+v6Dr8UBiQp29yoPZRU162HSl1yRF1tuAZjVYXCaosXTq83dEAccKlYNt8uh9V3mfPb3NEUJb9 Kj0oAoFOq8KHCXQxeNX0cOc7Ns9HXl6effAh9YcAgoSCMJohxkOJphTjumsDgRBUfWzfVfz3XQvB RbDZqUZQGbDCTqmvRcotBSRhhaHshrTX+tkvqFUysyh8BorlxgJEsQyHewUILz26lCfZOLA8KJvh AN7R84+rjRIxFGpm7c1TmzfqLzILiU9A4R+RESazgH1qxY5QVJso18/q9g/36bnBtU6ojwIBzDoR C+orjS0ftQgiqkPmSoR+C5Hg2z/ZAx8X1VvAnXbr7ngdtSNY4VigC64SjlDOS1JUimq3SwiYjKrT MKZKBeCJpmyiLBQpOCrCbZFoDrWL6i2xeXmreMZCJ0Vipap25ZCWfz0jB+73m+GtPjeqfCxo+3tO DQ4Q9W+TiqGB6Cj95CkbReoq/tXG9IwNhJjEDoLQlAeY9mOOylAaSPmG17dac5uZnpWT0ZYJmQua sUZ0Q9ZYcxINCMNgHOwk8m4kRZFtSIm98kGOPnuiA84+F2/z1RLdLsiXCPJjeCTqXrn8VyPN2Nfx L+Bk8aHTxAU3kFmLXVTEOMyNI5NJ1FpVl01eEQZvGwgPd9h+oiA1YXtqnC62Nw9STAFZCoVAFGTM K5g75C8XOsWZzwvVLuX0IGC7k8c8hDbwC3Ak+3XrzeQzVKefUjBx6t/1RWkM54DgFkbGVis/Lmoh LeoABVcbIMs1qko2kPB4gcIUEkccjU0edfVfGAU0PWkVM5ufj9iJyHrONYPNHn4qWlCgENVntPaC Yzu/j29NZBcW/IDpqBcHlqVE2JbqGhQEl/BIibwKGm1Q6PDQorl2RJlxlpz8rGYociC+A0HKvn9X P0/1fFnvy+oSulbJsRgJJgLAkgEKYoCuMkjQWilhhGLKYCKmNEzEUFR2ihCXU5PSuasqsQmyXCUr GPQFHoYfATxGY6iqhU4/JmLnnaxgBsvimp0DaHAI5LBYvCtZVMNQpTc0GWEB19czxla6mcq+G8Xm BCzVUJ3VYYwa4uKbLQd/gayRSNTCWMIGCkPN15wF/Suc9qCaqgCzGwZBb74Qp7SVgdvV0vHavgvo s8KqNjlw4Iuhs3kpvTUBqMJJcZskWnod4v6K6SUiJSLS9HFxpECF4ntbbBgMckUxW4DcURWhjRm5 zYUgKFMkab/J/gjZH7O+ep0qxMHQZdb8EMeyxCKbpZZTf2dtHJhB7FDf2bARuUSG6uQgmUIcIxdx 0Dpa8KDfHNzcBGPzarJH0Rjpx7G3zixRBAhUYFBlsUkBHKeJCRGJD3DoCqMyGKBe7U203iCtJ2Xy MIOk++eDB1IWSiRfR3nARAwizJJpfDT8/mzEDAgKOkxsMM88PSmT5+nt7s52DkcQRPYgczYZ59aP H53g9nw5mv9jMH49V8onhAKyr48lRr1fFLxvVRsjRSHKbVG5Xe+rdTx2eaGIosV9ts2gSSl0c4gX jwfudfMFhxULOajmuqfaFPOfVMCI+8b/RQebvjRBFF4bQVUKB5AMR2QSJF6fR9I+RHyLsozgKsOl aHZVmHIYKUULGh7HDFPqhri6KB1erWNXiY+MueEIAPiAqXCnn0nIKTD2RXGdfN2GcHElFVu1VS4p fdAu+EiBuUREE7o1NfYdjzlqYSyxVnwu3bzSV2zvVnFDZnUhRtDI1hDCK3QO0umsKvIo/f9che0J UuubXEXllUDRqim3ot0FXSIQWaSoS/2Gq8dGqAMp7CAQjxfyFrKESMB9Umr5j9oX2o0BCd90tZD+ ODGeBg6EvkA+pjbMOIEQFhFXkIcDJt6rR2DArVekCYWPldviBtg3fysOi4788RUJcVG3dBxlA0Wp Ja9PqBHtHnAprxGC8tVre7VagGse2yT1lNR0OceOGIoBCP6ZuBFc6PgJA2kL0cY7e4tuUQTZcLzN 5MQnEvlcMJu0ogkXbOpnDyUM4VHxLhlIrP7/VOF8wLOHdqMRNMtB2pzKiqqAsAAb216xQpw2AX6x SRGpbAVCIAjYCyCDhoRTw8juE3nqRcgPkCfrb0L9UPEEGxjYNY5LdAvEAXGoZfzrC2ZjsNnc/ygv q1sto3moIg/O1UzJ0ZMECcQELSfQJAQQHVrcIXrIEBjNC8b+P4h+sHXFhNOz5HYSsdwSMf5uKIKM znDzqOjRTIEL0BQRU2k8rwlopZ11Dw1rIk1aSm5OTK4A+9T9NEgHDUXA/pg9YQu3KjuIMKM/t64x U+m+ImRHr6PSfXOVbrMJyViKeMXcEbtvu1PEkrWNGhBcVFIOigrkGcTkV9PYU4IkH0/KOsqR+5ME QRiG+P0LDspCP0T2QQwh/otwBj0O3ibTVtK0ERRHxLJvpdBxRCHIFAHJcaLCsO5AUMTpk2OMIcd5 qpTThXdr012B6OCR/g3z9rh1uW34PD0EtjsjBY/D/u+IAfQRtAWOp9AhwTPgGZLPGLTfIy9O9KLr X5+vzlahoL1Jt5aOSFgdzObhDpw0yG4PZJsd3M9GR+CRDN76vMp72TpnFLvlvmqhhts54GmfcIDN Hf39EfJIalGig6GRnSFT9aBCRHEzQkB8EfNZVYGLBrAgWCABmg/i8rrJli8KJktWmhugr+EV/Agd kB/WkW5zuLI3/YStIRoQErIDgs+JFyzoSvJifEM/oEXAQgevyhobCJ/ao8+zVDzLix7KMFhIkISJ NelHj/sBfCaLj+C/zeDECgq+H0Mkwvena6iFVB5faQRpdd9OzQQFLJkd14XGGt7C5TiEg5drsTEC B9j9SIA0Ay5MbQ08jUD8jyfm8/iEAA9484AUBAPVhZvWwxAUDxvqMcJMpzhsgj1s2tM2S51UV+up 3JtVE3ZyT4d9bI1Qc33jHWpyQNHk6mQ4dWIYEdP5rcUaJ4nX1JjXNN8RsvzRvER1Nh0UZIRAVBa4 XLdfBBPhePf0cJ4Tn6III60Ukcvivwy1hP6/1p9uGA/CX2j5/zu+nlNDl0AdO0Kh39g4a7Ziw9bK e5exlI96iYZZ678lIMcI+toDmsoPZwybbXs7fvs7+vnomCDDvjD32NUc+u7wvSjL1Vjcxvt8Tbe/ 64jp5URZtJIS6Acaph6+RUq6jOh52ZBfY1WU3TdvcC1VJusqsb4WFG84/OYgXlQOR82Q9aI/p4hz 9qXKUf7XT9fc/3rzw71kDQ0HfNhVuPWWrIyDUQHrwobw/SH7OJdG+JvcoUIFUCQi+N2/EDW29CdF cWA/WrdxQHqq36ykyn8efrWlkPXgF6AAf1hWDTUCiBuv7vEpryo8fhG+m3o4+CdV0aoMSnhltgKy HrlniiYn8PLytTAUm60SKxMS+0KIGXYCr2P0n8qLO3R7B3HX2SF2zMN+SdQtSsfTRTr66sLzGAbQ 56+dgxnh9hsXvv4mFJVdjfqznBnJpSeDZgQqdxYEEiKhXUSZdEpC78uyaMNzdEpSjIhtCbWe7Bx3 Ty6147ItcoiuAO013aNuwOVSKCAlW18Z+mrG+EPPW6KueU5b4SS6SiLFR7nZsGWpli4975WoEh23 VgIbOy6qbgRwseFUm3q/SXYd8EYBqATJxg1CBhfmBMLxfBymLO6veJETkFECnl+94bmU9vpYCdh+ H4fT9fXye3toTcHwYeKN0CkO/b4cME0zoXz8F+OA9eKkefl6D0YqbNe9sQHw7qsyMtN7zDoaZ+jX pp1ft/SWMMOp/4pRoXJAGRDawRnR/2vwrsajaWeMW1giJ+9/mN5KGBE5Yzc1I3b4yel+KBpmPmXe Jace6FP2UU069Yrn5ogMRZR9hcFqpwPikDOZ7SRLnzFOAGGh4golxSYzpHlYERvufU7ae7MKzYws EWSXsj0SRDVOKgKLoRuqWJeBUMvrgu1M8ufTytPHZejtfSowzzmauRJ6SV22ow1x8IPrIrsFMI3R CwaAGoeUUg6ifG4sNTCwYFCo9XsHs6JNupzGaaEWuKsOlVHs+X1i/6B8MDYaJhjgnYAMyiQ7yhfc cg8Mykul6lONxoPyv6JJf4T3mFQo8K+/1xYRqSrsAFpeGBLExU6MNCCHULBR34aCUhYmImbxWCAu i9xJgOwcItnZbtQxbALUCWLggkjwK4LKJSbom8sULriWIoV34DqwQdEI9cQyvfQGFpIxUaDX9PU0 IC6SGf6hoIA+4DyL8YYVWQhefC7JhhDASpDXUCGygOkRPeuLb42hdhh9xnUgjCEman4Pm3IAfKhE BpAXhrtVmE8xoLsHtEQzeucmELpz+KQcNspMYY3RxN2qFnJjC9pFS3pEWgIQmGel7cd0BuYOWPop 0xLwFwFcGzqVG1ZIwJOE4u5Yqe+OT1wi2oKbjTU4132rZh2yWU9a5fneL8jL01RXnlLYyZGN0md5 MSgvIxZ0U4dGychJAToUoNlIBORTH0SDAwWFy1xRR5pALgOhaCQ9Zae8BNiIAS5Vduz/NDC2UTRV Uaq7m1HDcomRDNRSKgjeCLlYzosC93RuYCEhZt4a7B911FsMortmahzRjP9UhfCkKX0hScxWucBN ++dQ/1ySwxuhV8O+4ZSW67Cf7pRr0m4rOfXa6OgjVU9x2ICChlG4fu9e6MJalGjzbK994fsbz0WI sDQLJHBDoYK+4nOUneBkIrdK7V4BcSHmCTW5l2nfV8CqORChdBN+qTvhyYOKftuZgKbrUmt81DJO be3qjqj0tEUpAioJKZmgSO6ufuosMEmnb5TcabgL5UNcio5Ehz+8XPEZxnuNsZe0A3GEoMMOnK8F xkaah8BbqGYE9fRQUU+XBxl5CGDhWQ1ucGOuTXGA0ClVxI7hQGsKkQKq339YKwuMLPZ1IQI7fCq0 u6fyE435yGm88hnRc/PV/P88OT4k4G2u9uxvu9wQkdHu5ivCEwZFFKw83h6dY8D8c+J0w1KNBLj1 JOf1ww1w5y4iPSAlayCwbr9S5UgwiliyNjZiTi4Yzb8/OHSZyCWr6DOaJZEKJvPsFu9sfeBJuWlt BbaUOFHOHyfDTHKb7lrePmr7Lr+YLMpnp9EX6FjhizEEQ7lS+D3P1h3GlwgKAjaq2VsZQNYQRnt6 8024QntVdWNXXCOECsl1LjgIUkxbreGjmUSH8Yp61pPHWEvMd8/X0phrmW8eZwYdaG192/5cxea0 ojVYW9zyaZJGBFfN224Rj45wxcaPXxGtJKMXPZjLa3drxdIZSHM+qkWKEgmOf0ySplK4TDETUKoK saT8nMvNcumg9JMoUlNRY4aFm0r7eBe+cx44Ra+N9Zb4VjMOse0USYkU1zulMyJht8fRRxeaNlUU JEpDHnR3u1Bi368q1FtW9hnV2GMgHJHnV7C5ATE3lIByoCkPsjaVYLkoyDh657KCJ/Vu+fdQR2VV aXCPdd9R8xDzHVefUStt9Ou9iiBTBjwxMLg+1edXEqbE/A/CjOMpD17fgLtp0iHT0HByR3Mlsw4G YVZXQxhDDF6hI44jCgRhImVBYpO38R0vB6RYNdg7HowkBH3UuG2kYkBnUdgOlvRSwITsKQIwLb+P qsDxQlfwLqnu6Lscm/SaM3ZsPoNTuU2OAjKxkIWES6tfAbRDieb5+lLcaHS2ICh6sC4S4XxeL9bt NesvbQ2Z8r43SOKK0qWxKThZ3srHqTRKUk1TMYfS5V8Zvy/b/HrnXnZ+G8N4xgooD8WWguVYR1Rc S+MsJ/4BpVSYByekHeyZSEd36+Vb6Wt5R7709wSgQYVVThxULYgdSHxLPRu/BethpsICgF1RJdeA 1Q5mJiRxMRBSiB13ccdAMtjgSvjDXbBVuio0iGmwDBQt4T3gDnUDdHKnjX3Z9l2fGeXjdq4dFBSH PaHaXWLqMJx4M916b4hSNryYRMJEjb95uATkjiKAmK+6K+AqIsMhaiIOooEAyjbhrA0gLoVmDNio tp0UHPESkcV2UfydXD5YwaDmr8RziGdYpFcKNE3C4ZzIy0eNcBQRSdIcLzIMP6KSpFV94eIxR54r AHaXjxEAjIgVAoGJgZuuRDg28zMhpzi1E6ojR4tr1XBmZTrVGz+yks44Hv9sRpCFbsFXXB4uIu50 fj0/6doX+XtYQfmh89wMN/f7j5EXcgvixjmzWSe76hTpM02M9ZLHEmo52gQGFHHOaGGZy/doh6SI /gfgvn6XF9D8mE2Es6HWtd7X8Hl2/732Z0+5fYIQKl1BHkKCUTDRKG5Gn/KO3VfjQ76F9D3hNqgZ 7Uyb774KiacnGrVqCPZcq+VX9bptRzfl2lOpEEWO9zdDfY6Eg7LvW1Bl+qnVITqnvUawnHBGAnU9 wG0W0mreQI/m2tf2PG+5tZQbc5ibgK5I92bwTi3rYv7uX76ojoC6zYefYC9CiK4o8aIBENr3fj5r TptwHanqeUlv1DK4g3rWxF5wOQJTd+1cRi9q8RKH3LnRry5fO363ORzVRubE6FQ9G5+LE1rjwdX5 NnkcHUrxcG/w29ztz1+GNsVhas+1UNLr2iPM6e30a3PqOjkD4q0BH8edZ33Qkd/V57Xene+go3eh JeQHrwYB4H9Uo7253yr1nysdDDmihQ6kd8uC5cRAj2sNAFMNALFqL+y928P4Z7+xcE991vQk1fSq X6u129Vg6Sab9nGa6oGp9hrTgQCIhN1rm4h07rutdLglkugCS4Jc6SfAlbxkuS0IRJRp9kdw/A9N OmHvfhyvIt801Ic5fW0NCyGshHVBA3AXe6OkLCjNN72oxV5D+tyNkgIsJIa+52n65QFDYWEUPXj6 zCeHSA3jtmp49vHIggct9z1zu9h76nGfnDrgRriciqPN0E54zh9qYuShQdaE04q7B1DxqIfXqdCQ YqF4EnfcB6Ppd7zqzeWgRVavqqsdz1TTgfB1yQ+5nK2LrJ5ojfUhfRDGBxdOOaQsfhr87E2RwP2/ A44ndecVFWh89LTcCps9vlXB6XV9Hm0bqee93EoeDeLlbsw795nV2E2pJom0ZNKk3xIQjQjjfADR sShwZmxv04e8atzLeVG1t94yp3JjhPv+MmurVWuNw/C10hQRjPCgrOmCRKKKssMzs+ZuzX5sg8qW aT+E4yeIsC2ClFJZmDwiM90UV5glcnn2Xt59gvf5PRmm+VoeAwASaLtxDrRy1MH/ItzFEHdz5o2d l3gmytFBgePvZzVHKufKidByM2D2+Q0t9sBszPy6hwZ7wbIbdAiYTYtf2oFxbgOds/r0Q9Cg3KFh whyK9RdrrtuagH1XMs/Jx3LQ5tIgAlvWKT2ZEvrwKC4AoWyesJI8Y6YY8ckvZbwcEUEHCChCTdYQ aFMWcaQRhp6RyWkOGtuh8Bg1QMMT7nFIDtP76lOY8fW/cNi8esLvzv18tjDH7yJFwbUkydkV3Cyy IkWNd06B49XUsg9w/gvWAk9+EWlMQpG3g4agCJyGsbhS+yFTqDbBR3gxhsviEyLgmKhXDIaqjy7I U2ONpQ0czF8EgwqwqZIrsNibYPDFtYEhAfjhNPxdJCKhyB6jlJcIxDIoRQTp+kBwjTfsiYI9FbbQ Sj5ZyeXH3AbnUIOvtPnnYo7QhxuIJoQiRr+ho+0cFXAcOKDonAaeYCMUWyGkW8H8UJBmSE7UfHVx P80XCEX7lmHE1GJdHc71pBTA5jB2lUr63lcYEwJqvwK6j9ZbqQQghYxe2hI12hI38EahjARB6dzt xBnkualQojUp8SDz/DLyIQQn9Q5PHodwL5gGdOYbCkjgRSrK40AaTBS5DRZqZYbpQwKu0lcBWiYM 5p7iI6fDNPhH9OkAebDH5LQE2/GD6ZGtMMP46pYNvH+Gt5TdTpZRz4Tz969i/I2bJoYPU95rMEo4 utiX36Lv0EyJ9aQcdoKotoEDTKqj3Mchv56WgP5Py984Z3hHDogCJXWLGSwQ5Ubp7d9nAkqXIrAl kUNk7AkO7La3VjKEIjCcKjciwkPJsd8GYYLB/JYSylLeXmCsMHjeMmwtGtp1klFSJsHIVM4KKnsP CUpBc22vRjlGZBLtrcQJvWDY49UES4bowewIbMIQhcFn4mFYao1jbfJBa9YFO3rlgRpCQkOhgmAv SghauUsgoI7Pm3xr5pSOlsQHAJVmyF1fu/bqgOFK7w/NRcJXCDOI/QHZGBpuWZmRBMVlu5xVotOX zG7XDFUkSCjN6ymyHqEV2g9Ge/eIWDk1yedFHV0LsArsjY5m/5hfcj7QoFArWwoLcqYwqBEKiyC9 TUBAck+Q0yIQCFor823AFgy4AwuAsx2Phl9KisUJmsUYmgVFZO8KpDdFtdLm5SxsNBUYw3YxwkfK H1XVpthPFIX5StcIIyrvLhgSPLHS6IOcWChd9W8nqgOAElFXiksSUMCVSjY5inWyCt5iYoFthczE xXsltd9VV3lmMcRTDEbEjQpAHcbHkstEbCTB+c5YDDZARApvjvJbUVoQNMMd1qv38TbFChilZ2xl h0WAEjnHCTuNgYIEmnXdyqqIpqykOldlmrhyzMlp/VmsRig2M7zwWMHyzrZA5ZobLCZD454urFGR EIqKZjoX9qqmBDmTriWdUT6dFSSkw7uyEH4c16T6oL+KhZBN5RcCvVsfVDQzkC6shh4DcrjdiMkR r0lLrfGj9fRhx88D1UuVH3ofdv7+QHFOAceMKAcKUooCzHbOL1Hm3htcaKy8K3agr8di7jk8lKe/ BbrlkNYOJge54/xD7SkxlCBG3phHaRfFULH/QclfO291GquLKNk9uKPWdsHiZAsQvB/VycMTg0XH O5SQxBsxAwbQAYEPBkwyzhI75VEQrQmjKIHiGc1+1WER4jjtxc6VEraLEDZaAvnbKYiJ06kCDQIQ g2Xjzpp8+nWBxZMHDqOVl9smONBlgZbQ0Q6aGYvE176pDXq1MLhUbgQ8n2PsQJdNQIzxqIP2rCcG GgxV1vs2o4gNPVdfhlc6QFB0QOLS86+mWIoXoCpbIfHXtQQ9V8ftETkON0pBKJBD+Q7clTct+r9V X1vLZo0oezcyQia+xw5mEWII8FMBBI2qOfze0kZOh+asQupZDwu4se6SHzdUq7QFkTCHEjSIIHta bVqqTv2X8r+d6ug4YLF3+54zVQD2Cg8xSkQVkUG0Y0cONFDVlrvUDB7NQBRsEHQ9AoCYylFrOmcX HTFhYqHWKkZtrIYiBGztaF0Cy5PPmuxke4X4zLHAY5FIz0J27dqvH7wXnnztKfSec5mgf15dv0sc ezcwCNL3MzuaonsdxcyRRd6mP78ONnp7qGfUNDAYQK4qYiiMNcRcgLjdNbcVCi1ht2Q2xEIvBX+h XGRhAM0SWI6fh/elzX3uLzWWAj/tNLxMjHA/DlSBt3cgkjD9Ll+ATQtzFMfDDqBMGP80/lTKAfqX HjG5RVUStouWcEr86Mpd7gyv5t4SmeogZjZSTXhrN03PvjBrAwwHB7o1BTYjNlQZKpKPLIiyFGLk EBxmgrbi0NXbdZ++pt3uLPCOozCVu986cuvme+pxZ47bL2ik0gsSzAsxESSeodjlv9htqM1YbnA6 Y0DJKnROLORxzDDxGdzDohowS1EDvaH0IThV5Qvk13VdEQJyYkQ5sdONZ3rzFtCdLZij+AdXEuDb cp9tx+dT3md3O9fYJTC7cIexvtR1S8BgvRfwgS6uV9Pu6/3t/01sueySekaGH2QhiKHSOFJHWEtL RS5sSGl0U1Ro7w79Hjn8X4v09O/i+R9X4ba9219gAf80C/9CqaBpSgKZ/q6evn1VGsDidY6P6JbE QI7XISjH6Qqomwd8bbvxhs4bqJ7+5Q0Hs9eF92KmghN02TCkNAQazPN3Z4+B2Av88O/vHhzcUAb+ 30ug/9TzM+i5RUO5Ql0OdepkH1y9HYuqFKqoYKH7VHV9AVA9wEv5CiPu/LN55L34PuDrs1C5O1x9 Jj28NNIDNP6/8Pyj0aDWxpt+1vya66SybFggT71l/lCCJkk/BuHYHuPU175bDd12Hhdadcr11w7c 4YFm+caD1xcafXiFYSQ3aItwDPEfgdmFNkxnoqF1Qg6ihiNl7iUi2DhNc4wohTr3ijiKRaPiqcaQ ndLj31Cf9CB+CH9OGD2eXn9vbudf7sDqlKpR/8SP/OUeuQ2kKxkxTQFB+9PJE/pnp3B2EiF0UBTc DC0ZgI2IL8OMFF0O7gcZiHSxB/FAaQ/xK5gdESVf5ZyFFyNf2bEQFBxxqp2cmlKQv+23Npu7FF/m waew+4Ofx8Q/5TuS7SUBTZnZ7tfwlFNoUGf8vo+Gv3/qAr+4qH+csywWQ5QjHiEw8qQ9yelNcwgs CgccFCIWcVX0lBVFSkGihEnESxJ+fQ6cibmmG/qQ1BnbAtQRtnzjCn7kNrIjY1tpXZ+nt2eC/gJS ETKn2G2Do/j+3Q/VPT7093n9jfw8544h1G3Yj3Of5vR3SIqHOqbD6R1tEhrTD2e5lugPn/dhH5zi n0KLxtV6qoyBmOrXHMGGFGU65wrl/V3tPDeiIUxYe9QoEBUVucfPCewS6LQk+jff9I/t5wzxeYc6 urp9XI7E6o7aSKpaKCJaFiCINf88rQ2gX5Uz4dNcxT+rn/Fkf6nv38XGEcyYMw3x3OKTqkkSUbpX 5HRAhhIj6T8NeEop0ENAoS38uPvj+Zu9Uh4FHOC6mk/Ub6Q7yLgRmUV57IXxuobg7yfJMyg/1gga 7VEWPblgJwgpjm9qAihCwgHDbbQzbOx49b/jDuMEDSTlm91PKiKF99SWv+vnjpDJDKQ/ckn/DpX8 KzWX4/lOfU9NK07qHqR7IUo44P383agr9NhHFT/JYT04w3hr+mzibxzywbITJHi/9GQ/f+miapqk WQ336v/H/63OUJurcEvKDXxGKdhf+38+Cn8IpQOhgvUO0RwHVT8EGhOJnsQmWHyQxGuJXfPmTvg4 cdpxoNBQiRa9ZdAsIc63xkta4yb4Fu13+Bq2IPNo21cfwKkPA4ww/uZz2iw233JxgLsm3wkJfUoA LijlALh3grSlGSRjzta6HkARLzPFaVYmxkiXr/Uf8SIAjH0700cGqrDu9mPzbD8IXGUxSv9lf2fC 4TI9gluobysbL6gzfCUPsP5f4riw6v4er+s7JCsk6vVH/E++nG6ZVeOChSCd8BsiN1zPqPP59Q3R 0wzu/Wb9mNZ5jgWkt1p7VDmP1SNmzt/ky7ALblGaMQsBsVLeUWi643fm2eF7ar7UkKSFJythc9Xa Wvq33FIKpAHWCjTJChgQzDr362ruGQs9GEP6I869qixqa6pwz6OdnaN4+v+7vgqZqJfnngHov+3m /7kgKj9M9q5aLkgEQroTJGtXnyC4viTIhUvRa9dRxjXmP7/3D+rOacp93V+OERu0HcwPJseqwbnx UbQSpID+/OdNY/zUdAwpis7NxvF73KKmLCEC66gtMJQ7ml8aVpIU59Xn6F8bb7QGllkIAj0CaQnf rwrCCCZRPnv8e9ngcP13juyiP+MoZfX7WHlLVrVxMXwrNsrgHOoap/zvmGEyLiWvxXvCdXRvw0St cFU4sokQ5YjoFmgOAh6x4TYzpAT+H8o5ZyprcL8XThm7SRbZam5u41Yt62SX2d9Gmo6GWKIBYLhK vbLkhDHGQwHsKjolC10IONVUPxhPClx4Ht+KvK5bDko3mmxoI48Dv0NgWAkLV6o89axa8r1Yc5Vl ThD7Ifvhtg+3FgSGKBSAuunWcoQwZmIMVdgiqqia62b/8UOcYa9cN2zq2L6MI61yg7si5YCBvdlY BZOrVzzoMBGIfyzjjfFCLrt1RJhOrnZPK/Cg3kZ4CTKAqFLl91zfHIRRGMgKqqIRfkVhHbjcJRjh mRlQWIiJmRtwjBwFiwzDkjA+V9RV3RZqlwNltnO3Guc77cawJ7vqW7AImQHaEIAJVSqqqhROClRg ZKp/k1v6e46J3vKs84wYEoWYwXZbbYxgLFD+tw2AmtUH7sGKkruA0hAv88YpJWqSu6UuP992xDYe xAWCw4GAErFlEmqEOUJElIJ9Jc5NSPVC/w6jF5lnGPsj+ECh/N4YKgbwjn9D/32zNbK/eR4UGPkf +gOvpHZ3gqAV/4vxBtYerzXBAGQVVOMvLsh2PuVW6woY+mE2+1lF05Rb2jVLzylB1uvWrn219MLt a28wX+v2WksfXP7Z6QD1UaKgfkqDkChBxGZouFL9QkqIAPun7ZuNtqwnxg3uuAOOTG3EfoSmr+hG feP0T9TCQNBR4xgpSDIjXI+7Un94wh3U4jib7gQZB/s1gQ2GGkJsePo6d34ePl+XcDO5UIsU2zUP ZwqBrEVBXouSeGd8hNgIfI71TmwHtFpSThb/w2I96p+Mx91u2XNh5fcLiLm2oMR6V/dawoPzMGCg 3FWyLlo/mzdEF6lV5lOpGm6vttRnC2Ii3pgPAQ/ug52V5CvSKLaq6/+Ti0LMmyThgDiUiw6HaXWo Xn/xve+SNSRWShddpiAzjeRIEKQRCAmq+Sw3U7yHE/7m8N37DeR3idyk3z4jMYeikOq1uWoV1dQ1 NtAxwTCXsTBxxt+6IwTTob9flVsgYS9dcYOKnbIHfsAnDaXel306dN4hLnZxWm4BpaoXxVyN8VPq WGL6wZuonjdjBXo0xpCWkapu1rd2TkEcAgdMOqtRLAik3kNGQRYVhtA7+LJ3ax9Hu24mOrtvDX4x 4aCkS6Kq6k/a3BkIgGaN2tyHVCKrkbxO88AeUOMNQoowoYh739vJHRAGx9DyGrvWo5Qtk4lE1Yre rx1vZ9GiE6ilS2EX6Yexrrr4YHXBRsWFZktyxfdoVuKaWb3USArnew6Taseh1mqjO1zumXKLR8ma fZKmzXQRlALwa5x5LyDgOY9A62enIKwgusZLutEKwX+vYF53jwwU9l9B0pt3MnmxjiM84wC6q168 4pKTNReEFIOMxGNevWPN6B7ff7n4/8jh7+XIh1dKDjXws8md/2B+H10P7B9LiLFFKokqKqSO76sU OOMDfbYdQwf27YgQBgAg8ePBggAcdBAtoo/J9BgQ9o4tAzQfx+v2eCCY2jdNK+P/PoBTyCD+pPVA faMnG1Pevbd9QGEU2pgnIDxn+oPw0mzsD+glPBovLM3T23CuQ6dXKr7JF5sGCNNOiZdsfVAHsy+n axAjTHWyWyKH31RNxA+Sq3Ti0CEyhBEIsVhvI7uBtX+Vo9vPViKPCsQvBMRElRJEQRFEvY0nrIHB CKXfKXwdGK/nyYI/5LGO022P9JkuRuGAmAj3EA/adDfQUPvT8p8hU+wnp5BynyenjsHvnAUTIJOM g6VOY/xa4Q25e/xnxJgn6i0h71RUSSYnD2fQfSfRr2bvnJ/9kucCETh5IUemrc5zTdN7YMh6FQct fa1BRCF+b/UV2vcewDPMMm8C5xynDo4UtKnAyQegIK38kHNESD0FNWrYDlCQqlw2RruvQSEeSiIF 6WNTwkIN23r8EF4ZPUtbJxJA3qL+YuTU4kgIqI+NDfPwtAKdq0P15rAJF22F21qci9s0u0s35CQi ax6xvv7aCnoQi8JuTK8CJKcAH3rIPhtEtK6IJRsYd+uDCaKkkZIsiATgP6xxhHTgSCJ0HUu6IHyU hFIOVFGpfqHEOIB3+k5DYNRE44hqUje7PNW2Ki8/6HqZcI2S8FwtpvEuihtVjw8rG/UNeStX2a7G ppbwjn4x+d9mlGRx0FRn+ZCpiv5ysP9cixxYcI0hGGweGk3lAc1qWCAEaQvadVu/9FgQ3sGTaGge LUxvnhvtI1mjUbNWbNQpIDfSsqwaCqPTQPGh/VIIBIwXRQ0HfxweHApSWK0axgGWoVeb56SaJDt3 b2Ga7GZ/HMP/3pAnuKuZRCLP4v0dL5n92tZUtshDUtJTO3NKYjJ9x+ng+f5cHedexh2phouQz92J fdCcdM2frrK9jdEwiI03bFYSScXooWpX5SRtxFIcyohdUOxtph3wpWc5Aje62tZ31PWjhbnGpolY POOqkB5lV0x5O7Y2FLrli5kcGBUOcMHbeRJ1St9LQKG4W4R/wdQ/qeOwzHcQ/bTJl0UILnjy/6Rb 4Z8RjDdYURgcCKEPcL4cDKQkBDko7CMnrpOcIgz9H+0uOYMEyE+OTNdPsH1Qr29ajXftrW6vuFqh Cai+6zBgfcoUX0qq0ls/Sc2grL5/KeWcsjeJrkiiN1vZb49bV5Vxt9plnM4ejRNcDR9Qy9dfXXOg E6UAqey3SymhC8iPe2BhaO9pQXLJUpfBL9k4htI3GThWbeeDd7Pk9fmhwLUgOws4Ks1nv/szXwiz TYG8rWZCi8ktFT3KO2Snasda4Qfi/OC50wi+XbKgw3ZaCGFI9pU4qFNFUYtEsupaEMC+JgyLx/Fh Qk0QLfR+cft9Vs+rfl/vEa88FCWQ0nTlwN2w1CEeFg7h0IybLwtCKaooFq7Fy1FhfTezxmm7pg8a bHnVQuwSo1Y+DCTlQsWwwzuaUSKdS5P9tS7SWW9FueGx0AIfm14N+arBrnNBG2yCOQ0mGUmMCdR+ MocMYyo/+0qRlJsA+546CPC7VERpEcTC18rjBNRHCu+Ez9Juv5XqFdht1zIERK7reYYHFmUjX/Qs 6SjJ3aHfGLHq9n0SXzVZtZ0KXgmdGrvTeqDZfKkvn8vtunLWrT6B0qxGFohk+bBoKsBjeIXGYoVL ayo8SKVWpKgrHxbU8CKBwtV4wg1pG1/rhxwfnS/4yC2CyXuzaGDKI4QlFYMsOos9R5ptPWVBYZvJ lxo2g91EtfJpGgszUV2KtHm7wxN7TxcNQoXq77OXslzE7GYcaSRGhHoOj+z2a4Igskux+tPve2gW v1OVB5JOTh04ely8xz8WTU9RMEYh/PKhQH3+fCHzp0TEP7Yw4iQNxCGuJQfg/jR0oclQ1loHvPcf Z9iH8OMEn1Cn1fSywNI80qIzVojRRTO6VSLExvRDV11qaX8cEyrnIwZwJdxRNW1Edvr4E9TA+ZOx I+r6ztbxBbv6KJbGhAz7YC+z4gohFTrnHX7vpqrWUz5oH08B+SnJzn7jjR+vRDQeAhozySLbqQrE Cg9p8CNfxBwg41xCDMGoS1wH7RG8XxFmQURBXwqkJJKQdSUBXawDL3fYEH5ThEHVO4Ogf1qKLLPG F9MVsQkgTEELv64ptD0EC6ADzjlHHG+JvmxFcj8iNzw4lxy9a0fnKyX4BQzwvdFfWDtqIEoSieHf +LPBweJaDTriQ2RcI+R8NBs7cbQrJnlbQqvNN4ZKkx0zpnAhu2IaETVtMtFHlx4GpoGgUFHunoZ6 N/AbmCvWNTTbYJyuahFr3AQJYSrJJABMyOdYiWVGAKAJGpzd0kES564AzyWoc7R16TRpQfTZ6565 lmlPkMqx8ktNSHDweHfIIlNPb8h8GzPZHohGGkH8fS2Rv6lPSTrcMEgbNlwSJqjsh52W87xhz1+1 AHdl/TCn5diiUmj5pMovuQzmN/SN46g5+7sF//r+1B/P+xAPMETEuGdwH/nBT/lEQjAQGEIf6YKt g84LQG6xaKPTKWSEgSGkMnx7fUn9+WBtbLsNUkD39RCvn3GHd/Dm4joQIEJCaf+XZ9w+4W6+sJ/2 cPL+A9vy0+N94byHw7viEH+Y4BPYP4ogGQCBU1qPxCr+9NXn/w+Ptzn8EEx39SnzfjbyTrt7iGGT Pl3iwwnTlBOOgV0AhHEYBbr+cQcAJ10mmXnjo9jhN9D84/cG+euoQ74wOa/PP2/KfU+B3HYn+c1y /yP2heDOVP4kCiflCzEpAyBaIUS9AbkzsIXX1/yL3/8k+Xc35jR3tMTtZul6Rh+97OOdHAs5nArP VR9mAQct38e+hGPtPZqw7JIrQAmWYn+2JrlF7mz/36v275QnQEizsFAia/9Kp/6snTJVLPCh6sDf JEMwrPU7aND4MvG5ho4TZAKIgCQgyA5y7QExLcvt0d/IxzxivdyMJkNVHwm7i4abbR5E5xj1hQqy FVUIz62vkOrEBx/NuXJ5delUOQDeeW56K+SPLYcCHrfSOu5P94XGemB0fzoiSz8Zv12eow78dz+c 4WdC8U3WzmQ81NJKNCUaU/0RkYYLPL94QRCcwD+yOlz+4QUCSbSb7i/8xYBSgeQbJ16KALQGxCmc 1/O4yf6UgP6imBvglARUXwAcoikMyjCGLLzUD1yS9Ln6MSsOfFsbaz2B7MoH80i6KxKAJQ7khj8H Ht2ppsun60FkA1kKEuUnyP2/CesZQHPrDggfT/3okOZrRuCQ6gDnnjiZfrPvo+H9naGjrink3mBS dNNOkDMD0SHkP6Tew/5fFQNXGwKJcXU69z+OOrwX2UoJBCfWdyC8LkHgP5insQTdOaGA6+DBMuCA Ad51nfMyeSiLT2Equss0Oo9HibfLsHGtrg5/gsAHUPVLEIG2Jbw6qpBLbVqEGXSOVvkDxHumJlW4 EpkgMGB6p9nif5c/NH4c/DodP0HP7r6zu+0PPGu71QgCgH18pDsDgbGTrBFz/d3Y2+hJe4A3EuIJ 5OhvkomRlx1Dn9mDD005e3OnzQ77gcxE2r7/GuGvj1Hzb3Ciyzzc3bvPuQKPm1+q+X47sDyGYQRE +eiPEA+UhZicyp3z5Yd1YLhUMfd9l51hn6vp8ltYRv+m9vj0usEdB8ui6gewuxBehyQ5Hzhs7B9o wnZE05FGYV2fOM7e2zXhv41PnMhxJ7fDg3TqHl6VEAAmQl6hcGFB6PBs/MF3+IHINBgGo0aBUG/a vRWiNPzc/DVAIE8eCDFuu9vH+UMwCgyqmQcOOu9fVgyo3O9h2sD3nX2ywyni2J802hvsew/nOrVN WpfE6hUOmK9CD0qNchDvnOOgp7gwWGxaqIAeeEgPQg1x1FOzHeOU9kY4JbZRGBTrIrBNrTgkQxKQ VmCkdTBrXNUR01hUEp12hAwfOlgNgIhAX5phzlACQVBJLI5IW9WDzHESY5qLx5xcJBwPmFRcEHHw gIuCCNB4DFBNLzKB21A2w2bEAHzDYD0IGTkI5Vl18zOfCUdE1X4aFXMRSqJ+9rYznGsQ72BcADsa 2zOIggHn7e1Dl0NFUEcfT+9h+2HqhynPkEHIQzWwEQUA6BtiOwCcAIg9twyAhD5a92gxhkNlw+/p EN30uEH4oPWOHXmLtzh0TuRRrucHJz+aqUdxQd0ODTX3U8y61NwRr6WveODKbR7vYwkgIjBQdXQ4 C+m9AAyZbadlh1YAdgKSInzvQMP9QI6hu8hiEHoe3wHT2QEKd+qxGzAdOaoPP8YoNY8t8XHEDkB0 ygicnwDXiZEyOYhnTnbLkge0BGgbyUa0KA9/DobxJ6Ewllm04GJTzMw6k21MGcmaT59ez8uBe4RQ PGj38nYppIhpfajZ3NH1LUXt9JPjYcQBNhcmh1qDNMMeIqgpZ5xdkHbGZhEL5phFr0Mw7KlpvYQT mQ+dhiAYoJAgV4V3OOZAZAOQIomsbxyFgRAXRDBBj49H5+jveykd/7PkPgHsP6KW/4VrJC28v5sw sk/6swxnnqbfT77jSbH1BOI7dQwF9n3VaM4NKir4P3e+vMHt058JROo66gc3hyUfTD6tzwrD+4QE 8It7n8PltAVIn/Icx8CiVw3t7inZ2N2Ov7ef7u3fp5g8u1HaPhCG8Ka4xApH45QNQnEp8tntROXo 9PXsiB/4hFT2J1ex0YHdnVeLtHrfFA/o8HNBDOC+OssycHP8+fV0GuPHlq9aA9/ZRyJmoVWjU2NS EnLnWw7EA8RgGvLc1FqDGfKekgalDaraE1CmoDmIUzPdU/jQh4MnPYp3Osb3qoBySfKklNBEJ2yi +HNwHbHDeHlAnGsdSR9encPNedIA4gckCqFTlrs0IGQgJABCBnPLfJpyEqTk5Tgiw9qTVkXjcVao vd6azGeQ0e9pHqxIVaM5XpgLATS84A2gTW+ZIfX/D5f/Q/+Z/wPE7fz+WkIRMHt7lTr+WSdHop+f PZ675qGJ9fTy6FjGIWjdlpQLmpkGIhdWcaREqNScw1KUpF3DU/Q1qooPxnq9I+SiZGvrFQAOhlOq yoA9Izgh/Q6PYkK1oJKNzFR6IWwXebGh4PUn+2TsIU/HIv83txB/b9vtdEDgkO9nwT2ML/j/UpYH DQ7y+s56h473DH/LzTvNpQDead1gOLKkwLwgUYYlUET9SDPu6Ml6FzVUA4CCqT2aIeQVX1z01C0b 6ySgj/zCUw9gsQbsGWtPzwljWEpSH2PV60+5Um90Hh/mYkBspRyP4W78PtEKJssoaChr1xIECSZF QCQSE+QKn5gtW9Z+9c9l27KWrJV6MA2NbfyyySIFAeEcJ/HZiOGfARlBtSn2MISJhDUQtMJOJ7uL Rnz0O3AgipHzMEC5DL96JeACkBl2XccYiloNCKqpVCUn8GYKelMlWP2Xuxc3kXO4RNTsuluXGXe6 hLFNhAoUJF1h06/+kUoDAL716HXEmFy1ujqyDqFz4im8yQ5EXCJTIwN6rjjZcIX2VoRncbk4GMqN WPQWhFmeOWK4ZFC0aLGHmeFSP0XUbhgY2/uqkj9pArf7lamqGHTACF1SpdVMVOHGsA8Y5s0Y8o7m gZ7z7iG4W7JCk8F8VWnhVmlqzlCxj0GekFEADnqUTK3GEycuVe4RzISnQogKVza2Aj0klXlnSFYK imPKIOLzKCmCiI30jS7/bCeWeNitcLKYFwbhbXrfIIg7SkBuiK4CVxydbxjSWYvWA46e7zvYoIgi VllzOdk2zERMFaFJEdOcbDQtL4mC0eENxFM0KL2w1SXub8op/x8Fu1agfMGxRGyhfyJDlTiEzMqO SHPgWu6SRRtXkR/2NEjXapzNrBQ4uUPq7utWcTOrT9nc9fpmt/R/IqwT9D09CPZSYs9x46RRUe0U W7P63q1BQ7ihMzMqdquO4nfJhal/lggF+kJGwifkyCG/Rk2/4nWyCBACSPddZgiumCqqq+1mvgsM CMR0ogTdDDXcApQWR9Njok2bc6klkRLruh+8zqvSq0NmEVZE6gQm8ZX3x6Ih3hDx13Wym5WejNbw Nz3VGY+US4jRHgIyQH/pmLs9oUY0HzyPrnvpdXs+n2fIwQnUcLnYOUp6tGGMFgRdxbzvhg7XuKQi V2xS+4qi0myLLscRxlg47ISEV4QHkQOsiw7dsnBmtogUKM33Y/YPIjckcxWdmTbyDYDijj5n5S2N ooQKSQUCXtbzvlzpM9L6z9k652an3n9xIBYkYKAgsYgoFKCIp/jgCn6rSAh6flxA7ygl+/+kKw9A P3EXf5Iv9X9aiUv4NQiUBQMLiKWgtSKzOKR3BsKmCB7vOPlPlPMeJ6BnaewSp6fYaBwwes5BeegH +jPnQlMc+lI/zVGisEAusPAKpBpjv+LcJqiZQ65AMVFpKbMOSdmGh9g/LeyB74sEwkGCgwXfumK1 sMnbvMSCDQp74jze2iOQpAgRjNPIGS+1muQgKYBtFKpr1ZSC4SyDZgXPy6AaJjfgbN7HFxjsJDqg RSAsARJEgIegEBAW9t+UEhwDxwYN8imQHEccZRvhyorqfhVXI69d1w0IquifKkRfW89X8kh7nA/U doQEprP1lsiGT+Dwvo7m69TO9RltJeQG+5O3tH7TbE2AX9EqfRxyP8Zca3VReUKmcWKoR0rHEooB RORQf468D7vr/X9p1upP0fYixdYlgf+KEg7TkB3JA/IDoH0HP8JDzh1+4Pt/q+4Z/XU5/hK5w1kP aUBlYOEQyJRNl+LIrISfqJ/ZxnD/BM6fk7QOYet/JcHHcm/y6MJ47xHR/AhDwopJ+lYP42Uh+cPb J/OcIYP11Rh7vs9519vX+vxNj/zL6f8Ndj+30w/wOSZ8hBnHY7ArxH8qtZ27oLuQRDG+ozx6c+3X PHd2dKB7iVA7sHFTCKfBOT5OwsjAnG5j3+AgCbu6G5hHDInj4956MOvkfu7qupT6djp2DxluLB0O YwhDmc5o+FhyIbbJ1CQ1+YP8N/KCeqqAT7EfsUPwfym4D9ZrPzj+H4czXG/6ET8no413Ju/WVMHm bHOQ6YUP9YwoslVCMRFHX2+ywww40FKzzWJCVFfgOfqO/kK5IONtk3wff/6+4igKOjOYYOQV89kR 81y/Uz8DMrqEh7U86etFH8iNiIPDTzvUbyMKzSVuG1GG2KhdwCr9J8R7P11G7uR1H8hr+s+jcmXS S0QlMRF0Ohmo9n5B8mY+1+g0r7VQQ9wc1CBPQaDWL5yPVKTBUSCUMVLEqySXxSpDyEJWqcj6n09I FwgY0xw9x9qbzajmz0n2e3hRzmpKiEOAHJ4zl8hyDQEQIdqpyxPq82l2tkOwA6Hkbfm+dRXotDKB aOOM5y0OiXHu0/PhgefAJhwmaMW+JsBzamaqYooCkKYcnCxg1kRBFURevQePPY3ViUiDYA08xgYj x8M7+xA8AvO8kzqYwzvVBDkyQgGx/AgHBD/GHHG3yH2/qPLb4ocEH4NI0JZr5/kHMPpwP7TWbDfz zQDBhhvPyfKGMRnjXXtjnO+vuzieA/PAB8KhGikOqUGk3EiqALM7a2YREFkD/JKE/eIAcpWj9cA7 EMQwSNLzLoXX15nzBZ341k7CfYlHQ7cqURA+s2xFiS17WZrunNv5Fy8IYoI9kERE3IIZ+r4Xi8df d3BfBB8xRAiIAzJ82j8azRXGG9ZStGOPRMVJqvRlWEl3hm+T7TGheo6psY6wMnyCTr5H0bGJZ8Ii fUj5gUfyqgh/vNglMRn5pHTx9JB89Cw4AV2M8RmIsA4sKBn29s06f+J9msN0gfGB6w4AdhJJAMV8 dOtxDyIdOvNfbPX1/YH45+b3ZO/lw8NxE5SoTT7i4TXu+2dnwvjC1VGIyj2yrBA/PCufhm5DTb5z M/Qb6d46snFooRYLPpCml+oHQ+v+E1DHEyHHATc5tCCGAUCE+tOoZBijlL5SRUUQnctgk1PD0J5v ON3p+TcwAPDsbqn5dtkilSgaVWE4S/750dxPwD1heQWhejQuYQOKDebnBqaHuszuPwd2hEQONCKw IjFFSEDCwJVKchwRgLQBRMtAkSzUFVQBVIcYpyCTMJQtCnIwgFEhwlNEQrycAMki3KnSywURMrCr qyN3Jq5n4p1CbSej6i/T8xl6GBXn5FcT69ait8rTB/2vBk6eXfcTrOz7TjmZ/UdUJfDqhIaBR1Ki JHgS5HaHZoX8nJ0Zch9CXWezooAnKH2dQaI7QKRozv7djWL0VEvA8nlrZRLmTiicuo637PDd4Op+ SrwNA+/A4YqNm5QsMil2WIwSooJhBUJf0nzHJNFQoRFIhk8O3qRgeGGHaWDHuKIBrOuHVtvr9aad iBW5NufPrTEOHdE3vaXOh38RgGDNUxV17++VuTIUcPXzpdzCcHxOHM0PdwJDTrndALgIhJdWWBOY ngJA7dop+Q+mx+T8F+OA0gsF+IU0Hx+AT+4fzGDRYIgI+EJXnuFaD8zLZt6Q9ie3Pbh/d4laFev1 hdvyBIRfbDkHytkhCHrgT4BITSXOR8P0h+xsWvvydD48x5BhbW2tI6UgYvGxGfVts6GYHwA3O4Cf N6yfjkB8xNgP2Y9I7+Pr/Gmu+5zKDxowxh7tqNOIYKMBjEV8o1XDafm3AbJP6j5awrOCVXv3wZIw 888QYz4sJO9LBDBqM856yqMeRAsPN79jENM+KLg9G09x2baQHCKSZE9gmgFZUBb8hJikHA5CaAW/ YmvzlBygmvctHwPr91H2dvmnOzGJ9sPuE+k4w04DTPjn1fuMcBRB7IRQiEfw08GesCXQDWvE01r9 oc7rBLSc5HJO+EoppSilmGYRmAiBp/GfSJnbbwvLw73ydnof/kPwMNYh/Hutc9B+bQ6G1mMGsgY+ ypVwqIfX6DTjR+4zgVn8/t9qDek9hPE6seCdGWsuoeMiiXij7PpE+8wA/L92vyLWx6eF0JqINl+t ee0japtAe+CkKp9+zMMRVIxLVC/yShsqfm/XrwGDiTCAyHsu+MgNS0BbUIMw7vwYsKSYlDQbz5KN vt7CWcHK2h10d/u1ufHjNh7vjk+DCZmH6Q2An5gkJr5EN4E8QgHtZKbT7xJOIUD2p6fqcpwQ4ZD6 N8UMg6Ql8Tl7+feGNBExcAu0PHrlwo9rSHVU4ngc/dAm4HVKgQbh90KfCX5JyNS/ovlNsOuMn4gG 5B+oC8WcCJT8qqE2IP/lVTsA57Pq2ZRAVAgW7jvlDBeRCZdZQowFaC5KMko2TqTs6GIPFRWoAI9S Afl9P3e6S+t8/rCKgvjjGSmYmagqBoGCkmZqSWaKCCSiqKJiiqJpqmgqhpoihRQ9n4F/STGwB/1+ ecDAaKqKKosRHPA/OYJifA3NPzH6fy6YdWMD6TkYuHb8VFYxnPqLuO1xOqZgL3t6vi+gO0I/hyRP WH+7H5zZ1DZwczcJf/PjmdIBr8gmicLSe5IKFS8deYUv3Rt9rVdkCkjj3mJUY9/ktG0mLL/JwHDN TdLLSjAvDPuqMVg2DgN/xc7zjcNlY3R4lBoKMRjK1DotG59pRpM0OlXebLPgM6EExIaMIKUh289/ GUPUnNM0ATMImAiMU4WWdg7iSHJAojEEQ9SEQDmB1bsA5+XdTvfDv37HmF1piSrF2QoN30hOMOwn mPyyQIDPbzOw6sEOb5D/9b/vQnW+YWHAjtU7U74TzKIp6vN6TwH0mvQnSnv+oH+Q9HUG4mU+mj+Y sJY6+5SgFP1/V/V4hx/dBGjWXWLfc5FwyjR+VBCn35+w8tr4rL/Uwl8jxmdK8BkQREDwCHt8j8yG no9d+E+BN6tmPG4IR2zEkduwfajAD/L1qPWbyMdnh9t6jNAECAXyD64SEMSphZ2UVdG7p9dVF96G LqBnh85xionu/dxYTFh3h9PvgiqqpogoKTj0OLyrcK8+/1/AyZwsBgw0qHadPUd5gPtheoC96Bfm Kf+w3KP+fq/D+IqkAj8wE739EPYCEVBX1NA4x2uoob73MfjMlzzSklUaiH848OOAzNv+Hs89FNea j4V7vd0uS/2UIz3psktr6jbeT5EOx10qG2jtpZuaG+U/EfwSQIH5vhudprv18ssgBCmHeap+EiQj 3genDe9+Fz30v0dGISWw7egIsb/mxNx5er7RTtNgO28Re0B5SJ9WAeMHmlxCigmZi6ZLTTDnkc0A 3lcIhZomJKCYO7PAnQGIB3S8QCnY8YaD81yDQbsIPBApoOtDg4j0ygJTFJAybG06iFy9iecPw94+ rc6xOx5fM5f4s6nlj3/GP0OugwxSVVFUJT9YVuZw3658D7wYIqD9hiMhCB7WHs9RJ6iKoHH2A0We znuTyF5wcafD4Z7Efag/Ojjzlus+cAU8OAOTBRqDLs1KJGjqDENkVvoYOQaMI7QdlO3t5c0Q88Pu woj4ogvKITh3qEq4GJ7PAQRk2JiEm4RNgHs1JnMBSTWd0esGB06ECa9J4dchrP5jy2jN+F7+UW4T YOIciJBQ+ok+n9f4qqt/PPk9h0IXDAoMRBUgp6k2S2KzKH1llWTW/yfR6PHrtxfW3OcI5dgx1tyq iKqOatDGYm/3Xnj9n7Z8euuFwdRjJYUVGyxZihBCpaXreU3E4MItNENt3LBjSyQaW8xZcKtvBbxF d3jxrI3hfm0/s3vE2wy0uGOI3d2A3zGgy0kG+LE0Y1Bq54wciJKGJQudwtHOXFjhRRMYgnqS3jvD sGkO6MxcB/fxjWg138xMB1B8oCMZ9ZZ2F8er2SQIGdTIpCH1B7qz3/19rqfNoofIPYe81DlDoGT+ W5W5DLXh1OOCc5edCCnC4IOGE0SIuISvrkmQKSQKg2mocVTO/n0gOA3duFSffGMlbHZhTqyM1Sl1 I0bslIUSdNjw+w9v2/Atqxr8Dnr/F28IXfwt/gxvmcr014f2KIcjfZZMVXu33emyrsE0PmonHUXS TecwwYBFBVf1fUixKNYaP6/vhjXkcrPj/toPz8JCSioTU5bwcdbMDJDvPMAeIB54YM/qqmn8x7ie 62FHxAiH82Dz7V8M/Kz5QD5WkKecbEPjTPvWGlBgQ+UzOcxDMMhBJSwon0TTIXeMiQ/6C1bzBGFQ iKKolaBLahyZ4Tv+zU+iTs25AdbCie1k6GpuFw62xnb0xOXoxCIwnYTweoT8ry8D9nGi0QMQwDEL aILzVBQYcaTR5gj1OPTmgX2IGZtNQPaDYXctQDciHfvZboQAg1qUU3OkOxDHf5BzhjEDUkUElzfv slMocYV4wweD0fe/j9x6zf/nHyfh+9NJ/X9H3+tDZ+szpr842F/adKn/HquJOHCp/EJA3mqih97Q O/1FXk+zUUrEmHg0yuVXDQPq+4E0uYz6McRX6e30T9J/Lx9f3wjWWGmfkMK8seoqxvbLuAfkYSuL R9uQaM50EI5I/3zz/J36XHj8US5/JtTQYkT44XX8CqhvI7xfxVXS9NbFk92XTMMZQ4KCaCBTxuBw UAEFAEuDaZf1ymHhnyw+xUhvIasPVoj+nDBLwKAfan2ETRM4jBOAqKquxUHqBWaC14GUUW1yesbD EkIrSXmvYNINCOOch18Th0E2rU46nM0gEKQkeEBA3R8NZn/L9gbGvGDA/s/kOMsJ2T1F9+2xPLrt VKQW+gFGD2egJfGf4mzAUbZ0BiSnB+kw9/21K/3VDUNSgoKPLpwnTlA814xVLP1HbMSJgxBd9l12 EAIvzc2jF9iGukBz0lD6YjttLgu3Hjp8GE7+FPC+YO/CIk8YVxmfnD4fP82MgfREKPONe+VzP04t iijoek+nkZhmepP7+wBvf60EWRNeAUgMs6ez/dQ2oGEYs5JjFOchikB6jT2Bco0lBSUJ9MaBooKa aRKVoaVoKaQKSkShKYkaJgIliD5lCSUO5ybIAw37qKOos41DI859GwIUQgs1ehRhmSAoT0fyYbw5 yM5vLt6bP/A8/Q2yKRi/kIcDmJjHeFfD0avqkVfokFCkMY2lAxU+v562523l5kVgwPjNUp1VdwsF BMEcEViJw+Sed6yAiDWqk5rIwu92/uaO3OBs2csME2yudZTOLx5dOe2kuWkA8RBaCkiARIUKBZpt bzKns7NuG5IBDkSzXBXp0OuQGeuJTG6KgiHjGHBLGsWaazsFkI78cfd9x0SzSflQOI9wInZyhRy8 bxtM1OWko74Q5HScdzTRPIPLp2j6Amt4dlCAlGMNG6vQefxCocA6jvP4zec9Dr5HIK6TwzDggprJ 0PwVIqiQiRKIqUKSIpoQiADTCHIDvZLWMY4pzzB6w1dNT5h7g+v1b8z2NTqHOe2BANg9QZ3OEOQd J+SSBA3z1nmCA8D14bKJzsEIi2SM8bTIaN7hUhC42V6LDn1Hb0PkSujGf4+z8f5vthKzogQhQVMM wlSlVRUVQUVETBRSVSNURUESRUtUURVTSUES1MQFJEQX5gHb8m1DQVSxU01IkyVCTVSRVAUEkRRV QRLEUkhRMRVIQlJfT8udT+NR3XSRRVQVREGKitGSfVZ8GZPcWanynb9ZYlaajzdi+6Q/g5NSfR4n s80D2hc+/5vlubfMB0E0fH/mA/WfIYO55sFPoeXYdyiHrVBDtRGSQaOh1cPVPrMS5878fqCYM8/A 8dYdnnz+/E5ZKkSr+c0aFNXN46afQccRqToGIP65iQQ4p2w33DhDAdxPKYntCH2TJzUSfi9d17bC fjcZ6fsjzCfTjKZI1F+TBkk/vcPo6dRfRDsDs9Z7Psk9Hu+84CeoLkxRjJtm4HFySaVkExzQK2Dm Xb5H8nr5tQvjDrDmSbTY8kjGFTp8OOwYJ84w0Bsgw+JdC/S8UnKHxOPQmCYhNft/mXcJk7s1IeyU Uip9dFAqkoIpiEhI+BhmBfo/w9xnoONyImYPSB1nQ9N4ME1lHWGe+EQOE83mEarW8X4+qZu1DVR9 Ji/Hi7lAQgv7Sz7uOwmMKI7hyHmJJqCYIqX3HmM79baV/nJ/HFIHnqW/4WVPPme/2OA/w100hjLU hBXcJGiILkBQpBUBPmIAH+hTyBT7x9I/SD/6Cg/y+odPm9vj2fRkz7nXtVUFi74zyyWWXrPLCn7f B8cT50Ds66s+IRZkIDsZg/uKh0ECEP5M3NIBuf0fYP14+/a0JS/ctx+nMKQPqskv+AH1kf5kZTUI T/fhMKP9MQVXZsl/r/jPZ/M00J/7b1Xlh05EImYGoABfSUCV6wlfRj9G1mHhtRYwUfvl9X6PqPwh /Fk/hnnMiJMwBmA1AlX/LR+M4E2hz27Gbn8Ybfw7uJxCGxRjPAcyUmE4wwkBSJQUUtBBFBQ0JTQU NDTTS0LVAUjRQ0pS0NAFAtLRQjSNMuk7joZu9vZf2hy/w3bQvVChPNRaY+RL0nRRQqH5qrvULZ0j 6z+k2bXd8NyncvJq2g2hpPDWkl79bPT1ANct6/YhUoN6+wIaxJr2TGIpEr/RUUvkU+J2izy95x0G IiPNB0e3tARwB2QkkttAmJtCD1R/Ryqvdx0Pnto3Q1oz4L1UoQd4BnaEL/lRv8QP2+79HzP3BREa zEbH+P8n4buTTbNgioqQBg800sZSwRGhpuwIP8DFpNXcjuiGYGrrYLQv4fwn6Tp6qnQn40+N5swg Xpw5E4MOPwqxJBQvWBsRCoyfdhTEpGAT+kD6EwpGAN6hJMmL55EST3/zcIJvSJsBucBi5s7SilMh VTqx0QKMPcerUx/qsQUnlvEdaF/cur5Z49li42/NpPjBLEDCYkdBJqA+zTskvceJxbUvRxEFTDNt vEzDv4oq8APGQzOHU96UZgM+YcriZmW7fobwnOwM/79XNFQebl49EJrz4ByOgzYoTGmxK02z83p5 3pzlpgpijQ59O878DF+WpU7M1YbvVqLKGiqth1yZeOx2F6zw16UtzXc5xmgdusxzyZ5VBQ0m02BD ScsxQVS54E6RLkLn+CUB07il3x3Z348ORtDXvKKTqw3U5L3OeHHih6uHknjcp4YgxjCJLkxR8CDZ Lf87as5KqqqIqqqq1VVVVVVVVVVVVVVTdPSXhYfPsx319LvAi+PtxvNtkg2lgM9xntuHtny8wSJE eAW9NcvDOTYaHZaawPf3JH1KHgGm/UJG2mSVAL1YgiFD5uwDWZ4p1Bt1XgXn4JRb51Gdks569QFh nXwWupe0MlsDHSlxB1CD05XjzJDsPgcEb8Q9XncA/N4hRF1u8+gttVrq3NmBp6MQQiYKBClNTvwt 95wDL+VtkKnavRBAtqApnDU24YWG9N7rX1BdxoyVDh2rjgxl7sfRDAKTUDacZR4cIV3RXoan0DUu dRRH0IFMZwIpVhLFAAfDfJpY30I+HkBSdEy3wfMmsO2pvQ3NmBx2TsmTO3H7iFPT0XSAMF8dgwA2 Iq1h8ntMDg4QeffDlptm549mhSQ2wWE2EBo2HZD3aqJPZZaGWtiNBvdpDEgou4BQZDjrjbhQaEvc 6QOtgoVLXqrmwOLD9LMuGFYqLv3ubyrX1MFhzP6BOYwLmY6zswdzW+K1IcXusguVt1PERxS/Kgie 7toXT5f0dlw2Ak4JTQa6mlQzvETDCAGpxgEsBQD87gMERhCOUvYxKh3q0jzzR4CPyJvjS5FxymYb zG3TVK1SVOns36mYOBNdqJOpXqMnFFRkScGcHO3sqoii20scXav0N0fYHwE0cLuloPOrZW39M2X6 scMdIH3hHgPbsc+B7XL96VS0j1RtycrdPgY37kfLk78Reh1IOLsnMd/Zy4GoGT2lAxFiyEU6c+M3 wtDDKdSF8ivWnYiAwNh1FVLaENzJUnTIVl3QrSoxhw48Zwx7MXznESxTKdvqAu8B29r6t691PJrp p8wjDeYrWmPh3DinYnDiQBKoIehs/FH8F522iCkgW5x5dkAtA98mGIZ8ltdCGHI3w+lLmW+Sojjl 7ZJFHGLKoTCDIzTlw6QIoyXIBd+7w/v6CEqvUUAZB+z/bSPRdKj6tgopaQ+EZxh9t6p3BQTE9wNw l5wv/ncreCl4xPWaTaUH+eA3JQ1KfJHE6kNoXU5DqOzRhSJqAaEadJppBoxBpEqgChWh0Oxg7BpI 7BkoHsMX3ieQmzIaJ7alyzDyPNU/f/H+ntA4H/gf+R/mnLcJzYrzIB9UsP9WIPgfL7PLwMnGzDX1 mQgshW+mxmdiBDAmhjG4x6SITBkmKy8T2zjbT5Nq1ryNCy4oikHxy7ni0OTk6HDjTrUzmVHYyYTD qYu9fWbBtkSCxisYqCUcycShOQ9wZHXR/n7JSX3Ee2UpE+gvQQ7m2H/rOQ+iyA/y3+w+rBOSoHyk oJmlhCYCoDzUGBqU/CYDro00np8AiwLCbjbZjGOlhciD5vpP25n9Rg5cYLlyxPNFFk3MI24fcE8L 7gkaU9OYhqDyP8MBRUQSEtUg0kVCjJQSC0FVLKI5AZGEbk5JVINK9HyDE1DzDrej6fw+LHu23zQm xL4moTDHdKXFMh9h2jh/PPchy/rwPR66U0GojQiUSevHEskGkT+tplLZAabTJakFe/pgfRxk+hOg n/K/4yAMbZ5w2xpnmt4bxesf0NISKf+eBg/t8/6g9HkmZhoE3vnyoR9sZUuQU5MRVHd36A3hp5vA PZpf4z5A+DV2e3Rp9mOEZK4xV7sMgmSmWE6pGgZu2DE4YPT1+b+jcDkrr7kicIo1ZaDLaH0fL3X2 XeBy/mfpIhsSO2c9lDeU/Q8dI02rNoMAi3MMQlmN4xBTBB+G3LM6Cg9OaqieSck4bUaD+mHhzdbR TNyQ1Es/l0CUR+XzIdod1pIAHVV+WKs0MvPtqcWahrBEGMr9an/l09wP7VJ4U7FHxXDpKHV3h6U+ iimCfsxiYkw3R6vTeN/LwXY0rrahgMNyUwWk6G6njpZM0YO1txhcz41eUQRRZAz7eO2kzpN5ZKnr 0vhTXhOe7cXjn1mYFRFGTklFY9vhyQ9Z8mdBju4EoPNKZABae72hzfTLBURVvAYN8iDgn9NJrYdB UQQFVSAVnAvrjh+LnNFCG5gn93d45NtrRbFbagMYrdnncd4aKhNUzTXMKaWg71XRLRQQcxdEy/ID +MV9t7RPz7vRh6i8SV0DoMYIHfyPYfyPUyfmyRwcxWGt+Ro2Cxc8b2tBpBcwQGFwhlwHAIkIn73Z WYRQT6zyQLpqIrc4/6H1Sw0WcsgFtyMwzszsUndpJh4BhEELCFDbLmY28Hx37SzgNGD29VkTwyIx lTFk40rrIkaG81VuhBahoH2XYnC8Ox9jLhwPMCkOPFOR6T1Vwrm4P9QQj2/neOnAdvye/Ro3mIes PB7jYAD98C8SOTXzYCKHemHUxUMPWmKo1Q1EFA0QmrCkpD7E00Cv0HmwBOvhxDvDhIZ36+AUigdc q/IDOfmw77Vq1H1NSC/9Lv6dfo9IfGkxs+9pVXUdpHLLNLJpS0NBCtR0222p1OkORGIYneeswCOf DOR7ehuqc2AYOwKhZpIAeiJIGb+GYBQPbRQdH0IPfAQSIUMQ0p9OkfRESg/4czhMSvLBKkTQMzUQ UlNMSlBUSzUVEhVEMCcmJAChV2VDtxQ5AnOK9b9SCHCc+mPrYtlwb35OXplaE1pOwawTyXKP3IYn 7J4Up42A0avEGiTmtpCbmQ3I4tweYxPN+2yn0RyTawEgwZMOJwOfGY4fNJExw+W5sd2tb7wxZ0XG A0vncveQDkICkWRBhGUoaSgfyQHqFyitjnM0FKVQaIGlyGgSkKWhD0QnOGh5CVQtNGgOkDMhgX3I /zsj0D2B6Dzc+Ru8JQ1/VlGK0UZhjEQkPrQpkMk6v51BgiDsGJuHzh2Fw1ME9JHenhXzYmZj2Hzf ZwbnuHhHldq8xAfE+497+eQPpeHe0wYuBpBN+lHuF5Wep2iGH3YDbb8+0jEMEpTx2+awVazQRRBS Tbj3f03yVxBNHZ4maWMAjpmu93JwNFFMEIEQhyDTPqPuLz+fE12GRH/+lyE8vLB3Oo8VVMvsUPH2 H0b0qJZ5zR6o0axwP3Ro3xcgip2vq0JpXkCv8ZABuE+tO049Cn3SPpO+JpvCOu1FASWWIyGQIfnh epI3nbqSldacaSajrkDyjeENmV1NFIUKXz44SLQUOtt7QrpPE090HMMVO+YZCWRDkCbn2xzQ6umf x3+w+RfiR7fnPsMRjy+Q0JEQPL8Eweg8An9aHM/hPGonvjZ1z9Ieogr1hHqFklaBgIYlB/L5ePn2 0x9Xn+LZeA7F6EVXbfZPukNvmMVwk7ZMJiaIaInfg1xO0nv2x2igMKKS5qaF4Jhy2lNq2wFLSkpD LCTUmr6jDD6b6brPs9AT6cCKZiTGooyP0qligxI/kaC52NGN4Ssq4OwjwnlCnvyvecdJW54eQ/CC l6EpF6vHuV29h2UUoFCzFBAUxAH+D1IaNRsh5erDYSGI5kmCHuhXu5VF0Mxi+KmIcf2rgEl06bkw cMHXc4NAnYQhXAZCIWQlKPnUs9T1Op9oNauR8OGCLpYHUk+4zg4kEJAYl0bYaCCAwQRnBiFo14sP HxjJwiIiYma7sEy6wwyD2ObnPA2J1ZO86oB4w9q/vmYiMJIsA58qMEL3KAKQUDxSQ+IYb76Q+/9U dVn8dwPkgEKLMMp/EWiJ8IJkhyyQojqtzj9Y1hIS8OPkzu86oPhmhIeZDrUKQVSRIwHF3vLy2RY2 qxXKI0edoQCAB0gRjnFr2dXbCj5NA1DwbWK+DpUaeHTbhjZwlGx5LLK3/HgrXFxCaM3rrwLe7tln iQzezGocr77YGhQPxBwHB5GcbNBkbsdUm8px5ca14vqkpghiPfBIWQulIx/BpdETSBNBNo0eDv62 HbVS5p/iZdTKzqLgvBxsejg1xGtGhskMerurBhwNqGhSIlNbg+LrI1mpjMdbdmcSjrlbMFNQwLE2 BuJGZhV78znUmuJOdVMuPNlzbDmRt7mOXJCyHEQiEVMCGYQCGAz3lrFasRZEioQiWlMSLEuJKRbJ z5l3Tp3lsdNUFIcOZ5ub2cCYMHFYBjEPPmVNCLxZ60In2wsTgeAJOAcfq5AnIA4+LqOR9/vABdIn YpLDC/3Nhfz/hfQhNto39/aKDifj9ved3yP6WKki21EVFuEeKqROSUCUNCU0f3ZkSGwEuUREHpI/ gfGh54X2QuSoUJndBzHgnfpqC1w7Qhped5tvSfPtyJ9CB609TB8kp9JowDUJEoHqZHCEKRw9y+Gl 0Vok0fI7Jp3MgapHz3J26SQ3Mo5dOg8Tv3GLLRD4ozxBUQjQ/uT47mgg0qmJsiVq1JPo2wbp1w4V /b+YwQsU8UP6D4z2T+s/p/31pOuX6j4Lg+w72cWH21aF4/cfsE9IbhI/M4+YokD9M+lOB8xvsOuM fQVk58zHEUDtFNJtf5LUAV6jY8D6fFDznAp1l++VPZzCCeZ5L2HSBQFUg0Uo92QCkA0yJBppC30H 83VexQsTQlABxBkRb9MQOAVPZKeYgJkxDt/0/7fvxLQODBSG6eR6j+0+kwcxPUfy9XWdIooK8E9k L/M5g7nMZM4zx2N+VnQhff14dQH8CZT14A4stKFBSUqXNX3QnZGgpNCGJzOWodFU6GCEcRVAbODN RqhCih2MQSOlHoJAakSDjSEJIBGMH5+H9PlgHBuEVFU/EcjYTovsMPjQF98A8g/0hK7KfywP8XTz 5r18Ahn4n/VR8nXPH2/riZ+4QPBh4+GvprAjIYO2oGnkdTEQvTyKgNVKTXXT1b9yaYScBO4eScXw kjDcsQEph0fTD2a5wJxLSB2EB6fOoYR7KdlNCH5pXQpS+D+T4HtPHg0ZmZG+Y0B5oT7mS6kPZoPg WI/V2rtHXeMfsnzecP6w+dH8N8l9ULklCEc8EyOhA6YXaXaUDpdV1xcuhuw7OZjw7np1toUFTer0 TVlR9nHyOB/bf9p7CjgGe6dV9GQ9AnIo/PrVVZ1HVDKgWG+oH4V6cHD+HEPWnA9ZQSQQuGB8zUTK xTIByMPS/l0swhAGgG7qyvnOqZIS+WvK71/H58tmRnCMPwrkSzRBNzSwPQ05PbWrr00LMCqgzQop lUVbHv7uzMHzVG2HRofST8RBr7JTx0zJ8weJicgj4c/N8/4tzPX50iRqkmglZJ0+7Fcfu5rhjyzL th/q5cwDnEJsAO7INBSlKGi2YTU6A7oKB/vP80NIYKalCJIqKSk2N56+3Dt50Vwhqd58DMN3ZlJ3 IFaeouHr92JDyQggn1A4GAhPHBgh55SgoDsgTCvla/RznNZF7IYlKBlqRKoApQ/Wd8wSUFTV720k SOCD1Xe/6+mWe309nin5StDp1h6ifjGAsVGCgiCUMAAUFCC0qhkil0H8f8zRBAiwye0+jbq4cgvt DwBTj4jVo0tKNXGx8/Xd2lrPapiKNcTiZjvNwO4i2nklU6DnAy7WG5OIjhkrhJyNkKTYumy8TsWb a4GDccax0jvXXTZrXMHP1EmubEF0XSyQEEqQHMJpeHPGu8K4VHtflDuJM0HrVXBOIU55yCJIhs+I gefLkUStLNq5NAXNsFngsJLqcvZ0E9vUU3hDFwPSgv5mYSWyQfvqSV7zA7U8JXxgO4yMNRXixTSa w1p1BPj3tIoEkCUgESpEjDClUUyEKPjYqyQRIT8Hf4d99+54+Nf6/PkO3n+MwxFcYxiliZAkpYQr C1AxlVSG6StFgyjsBhXK6MrbYQsBOqDaKyWFRYrESMdijFXO4Glh0HFuaII+FyeJh9ftFQF44ORT nyWeqSIAljnJ59OBBHnZPF9IfcI0ezjrWqZKGoo5iom3Ocq5RIVsaxY1E/iz4olPcCqE/WSF58fT I8uV1aDk+E0T24GRSEEFJFX8we8BwXREQTExSEw7KTm6cEB8AzoGg3DcYhqArjvAMHcvLrq3dqHW hoddHX6tSXDRNBThCMnJ8hUpUNAkHr4Cdkj4bw+UqrF312+vxCMOmh9wXK+qonhojGpMIqFBtx/b RV94Djh3oBjg8TBYmmQicT822MBDicGNmDTotobGBjhQmHvDFzTG5Bmh0+JUTuQMgg2A00AiC4O6 9HPfbRV2xFZbFbCer7lP+FtcFmVHIhDzOsPKQwCeqFyOZK8JOVAU6fu2gKD5dMjIaD8dntPgwo2S EZuwbKoxspVtuoiTGKMRbMevRJJRLWjphV0d4VNGny9BhMkSnJ4ED31ING6eL3HpwPrOb6wOsPRt ufVSEdExcxYpUBaYDEZz+msBFOyvYAGnqRYDQVzs3TIF8yaDzcDhonUjuAbgYP5ri7EIi88O7yxG lFk5Ij1l0of1DOEl1QBN5LsPb/78LhgWqpKeAoqemJilaOvRmk8zt6J1a8HcyjmQDf8Elj+hRkAc hBuR6YljTqUo+aDE0FPfDgMUMJyWiYiDI5Ad44L8VVBB4nvjCDVBiGGPcQI+4juj9ip/2f/3//dO jVsdxNxikDTCepFgbk+mCXLXuenf5XPKIxBZN0ODJK4d/ggoYQMFYqiw7q67nK+3w4v+r46hol8f Nzs2MOb2Y7kkFUPiPw9lVmZPOUc7BigoDFrKBjVUbZ/CBBTE5KqiK5nASFLKSEoRFSjYwlfdy6j5 +enT65bA64+VhD4bmbm0BD2+eE8IOxvgVtiL6VL4NA2kGvyCQZ8zYDKcCVpF3Mmq5HCB5yzTWJxG h2w6XYUd2E7AdleSUCD+SDsnSaAIXhB7HhpSKgqkiPXxg5TzanWeWKkIkmZa5g0enNy2vznE4wlR MNBIcl0DPjJba0sQUc0ZxVMVIVBEFCUL2A0jUV0zbEQ6DJDESQjpUPphPMicjsAGmTFzNPW3Up9H l18CWdYmLEproD36/4z9F9Z9HFyFP2kdvSUjwxwicwMAnnhPBrWRUHB2Qnme28024wx31JjUsCuG QWYZKXbjziqOtaHK2TQyt1PLRlYw1MzTKJfxWbGPgLxA08ufsKYD1qo3g5AA55P8Gtjqf/ahw2cc BcAuOBHRpdhEzKkqAbCBiOdMq7dUbYnHzS+k/DN9UvA3yzqLqkTH58E77gjSTZYiDbB54MuJyGVt uPCJRO5a0pM0TGmH2EgbkTYnuyj5ahWoDUe2uGjTFWGTR1abA1SKTZKbQaqbMGrsjVJbOUygBjJk GQ55KHL3oEpHEgI3EnaKtUkG6VFCrY6bJl1DTpjcCG0/P3vWmuhWtGn1wYiu2vTxxOQ206zH1rVc mEi5eFcSciKxFa441UjoQ6SIM5yeSU4SeJCxrt0MceFSYzjFYoLbxLqA54ucUoUGkRgm0BpbgkIm RDW97s7Qr1HERTJtq9rrtOtbOILaZQYm2aSGR1OA3+5jgUnDRu4qxbi+NJEHNvbBjA0xA2IItEUQ 1nEuolg9YhuLT5u7GzIFB7GZGoxjG1eNWpnBqqlIOg42YweG9TNbpjSayMeqqw2xTIXJNzba+J64 8+HwebvDQYmWxEtG2zes69+6XMm8XPMlI9ainoYzvPNwOxxjxaGoimQumTxHCTtmA7PIOS6Quzqa DkQQYpqNDoipeeMviIu7IYLhOq8FaCZCCoxj7sKbbaYTGxi1FlrK3jztndc7nOUJRznJqimJBmBb GBHWhEljEucX1es4NMO04yDXbxjCmn7gt9fVnQ0NZQHSVgEYE3wyjRlwQFAU0M16ew7rhSxUMJsh WtBgZtnNzVNmZStc2aMlOpif+v6uuTwdZqE2SUakJudM3grvaEMshpMubayhlpIoGULQl8qBYYZo MMIFIWiIVdYTKZYZQpJgbZeIVA0SF3BoBcuXCf5MNRDSpBh2zOHSBmvr9vZ+H6DgH8Q+XHjDeD+3 PLMKrqsPoMHlzaBX1VppFIqj1uzd+la8ZmsGkjFsSKfFHg0QxjGyIqiEYUw+8swNJJLQwYGlhBRh 8V9b+fjS4RsOetdAt7Cq7BT0HE4osKHmdcu6W5iaobcOVQ80TPQ0hC5Em04Gdou2SLtnAfP651gZ h8xmCEqSAWAuteWO98Vj+fnoOJHbb9HzCaIiYDO3yzHuFmjSJrmTWbxvHM7EViokp2tMfIYXjyOd 99v7+pqKSloZL+k1/cek6vF9EEM+maDuIBsMFNEqQQ0AEkUISQtDS0JSVMxKNLUSiQz9ltXrfTJs o1I6zEGK1FGqLPS4k1y2LGtyowtSmDBkr8esaIO8Poj6Y5t6bcg/NG/3GP2D+otZhRn5rNZi1qmq IMxvv1qBRBLawZJ6Egv4ut6vI8L6d13mpeMYyZES+jggVItpqmlG2qLYukXFW8OLcCIUmQPMdguK evfZl9xfaGEOQBEtBoQ0UU6aTENJ8bgFEEQclBSHo71KDDhBZj9oVC2EeJRuhPemF8vu53uOkafa ypiDvTDy9waz+hpJOTLQPudknX2dhVzdIoYOYxT72CMDqtkKgYUm8kYAablEHz3by/FZ/7Lnrlw8 U1GKdqnPBye6qChIewVppwwKQsUoSKgItzvc13EYmiImFcRoVHgHPkcQHqx3g/bs61tT6p7E7Epq q1YH7kJJ+IHsQ6JCZh7TlucpkKSvfYimFaokB0ESO7EYAvTtRBJ/MgvPKGO7EtP2My6GaDVM9fYe bnbFY2nUXzChg7EV6wI7kPbIk9+sLJGVnuq5dXP0PLzBR2QFYRwQH7J0T3bmaliQzDwHyebqd4Od BQdhwdQNik5dVCk9jSWAfQMM330UZQBe7NWrFESehlKk2GGjDgxcMUpAvGJYWDs2nn1x6snwQPlN e8+R3KF03IoKC7jMkQDsh+gK3sk8td9a+LA/ynifjqGnV0617KjVKdlnExihLiXivJJogoiTzJ+L 318fXUEZoKyRYLCeB1eob+2+kcNGD67mHBiqhVDRVB6rKXZK3kqWh5uz9UO3x2oZXqKnYqI7ftYH PsPZfNBZB768c1NsbxIyOofXtobhVX3GYVXxwbFoIcjop7A/5o0JKHeifwJH8UwEYEuWRRlXpE8O XnUWCEC6P7SHGkGLdWNgN4ccffPyYgbxh9o0sS1D5H4Ls3qSTY5bBtdng+sjB65dDWKBxa8ghtQO +zM0w02zeRXXYmY1e/DaG8PojIGx2ZA34/ibJNGFcoIyw0asEiJKpYfZ52/QYko5iHo2qTrnUdOg bzbloUUE1RPTMIXmp646R5/w6fV6/b+Hftp5Pb99/z5+PIM3+9vN4ojfL+FvPFDOTM1qThUX+g+m xxZkkVCbZGyHCgc5N0WwIAuy/x+TubLbpz6Ahq8/Jwj0YosIT+jjP5lPJtUlvyHAc3UvwhiadNmB KkHI9ESWJ9vZ8j1t8fpTyHccMnWlIix1DCDZHeih5On2DosDCJCIQCT1MRym1ub9XMeDYXRJkDUc ZO35eocSvVOT0EO9P52LrsKzvGBMhBA9lnLh/ZmB53fOtWqCNunPsWySwc1HM1IDaiZwaJflgOcx MJIs9kbthNQzBykyUIAC+M271JtAWCOFgMLMIIYIgc2+zO2i+a25HCiEDZQwKd9GRyiuxub7plhE XUoalC4ZSjWezjjJyzKqUwIQZMtMlxfEYC4O2WMsr7QUAQpEgycPfFw2h1N8ngDw3prMdTjgywov lyKTQRM7MURGFSwiFxeF9koL4QMtSxBHgqXIrxYPxzGllWgWjYL3Xfl6+/zPLmlLIbGAfD2nsxHD DsxYaSid29QObDKHN0Qywiky04Te6MMCCCxGFp+aEED13834Rsw6YSQIoJtlmu8poHCN6ZNwZsDQ aNAsD0g06XEhTUGKJYbMeDsRUznBORLyZq96cvfeCOGbeB5QAR2Oh2HDc5zT9RCC6akOo0ffasjW JDxCAdsRHBs7gRh5JJB7HOAWC4j9VeoGwRoEWIQ3RVJeih2JDtulEj4wQOsbPG0Q13ZdM/nxMAsb K35CS6jO326EKHh10KB0kbGLTGPEWJYNK8uiwKzPC98TexA5VWMBLXWOwmdb9XyZYYd3gIM8FEXa r1rJCjiQAPsmC0oHsfQN+1AW+vahprpn9Z55YOrPrNiQRpXxpEvQwshBK3evVJaAvMFUGCgEvLIF S9kaBquiN6WtW7AlxaEg6hpmho0n1zYkaBsnEway3ZotsjRotBa6sXhlNXAuakejcBNILgrRkXLG MJpNae+1DJrZzDryIkaYg8tC4IuIWvNZIaLtOB0UCOCygzmoxSG6PQlkb7NakOw8fVig0MR2IMjz lb0LbXkcThgINnpuo7Z1x4L23osDSJ6etWI6YjsxVUh2eXG6Th5zpR22NbRTjlXALT2PE0EZ5a5u QHIQCTBIpqsKSHBwjS6tQ0lZXOzqTNMMY8/N/Xh5TNzXjtu6GCBwh2leoQJ8XgnzMujopBAIrAEF e1qGGA9aQZgfbYyNGRccwKAOAl2GrIX5QwgsL8TkqPQEIjotKuiBoLD48XcOSNe7jUDAm8KiXHrA OUhErrewxhAg9vdtnA57hzxkQ5rqmOPRZqQcg2scbsnMFyMDXFI6lX0DPH9MUNQOvE9PQERpgSWZ HgEIXIPJzoABTFdBN16wDwuTQHSHGPJz24PiAJdrh66HO/Q01XVNPnG81vQdmzvgDto7FRYUOxHT EQ6cae5bncSCS6Eh0q6dXbnTtcMQ0d9oT2Jid3B61eHo1oEQBviNzphELK1M71vZbT7PzvZoizm4 zmt+SC9AOCSHPwCMLUWZtSNkdqp0AWGiwp/TzQQfLPcNU2zh14K+DrEd2XUDNDlfWNa4fJpG+FxU eJFODjDFXo7xcPBpC7PinXG9CxobCOkHLUWwjV3IhoLRUvMlrWDpbneAYPfe7JiZYuMh379o2qk3 TiTJ7me5gUWxjcN95x6ZdB2YGOiWmejF3fCYVxrfMtnmejsR4CE4LMyNdpn0hg1u4k6OgU5FmYaM kxA4HzFp9xEIXNvHocdslhGDvnfY7TBjkgSDxBz4ruuzMGBVrw9Mw023b3IT+dRAPIvCi203q5Ft aPcBVDDrfMYAcLYRRYcPZAfJ6ep2W4NAtF9RNkkmSwZkQrQmdgVguCOCxZt/HFi8cAYWCBHyOOlz wh3LcLE6GrvDgylxhtYRmhxGeo+y1jfXiLTNdut+8ZmybCICUt5D7Iv5AmA91kAI8lAQQT79QNGt Hs/LUNMFohxU8g55FSXLB3tUeGrENlhZderER06ip5IQYK1hZviEwPSaH040W0RFadqLIA8jbPSK DBgWkoYtze67IwzkIHts5rGNeJGdbF2aGw7pnmzuRzwsRTYRhRLFg5rfcNb3gkXqKT7agoLAgWd+ 2HfI3sbkR29FOTR3hTv2Cl7NGmdGoHvZlPLHTjN9+Fjp3TUJ4USPDNc7KeGXpOIr38qZXKJ98pxo N/s/DbEz2OCy2gWHOvh3LNYbRYNkJ7Ih0y9wPFMSRso+w9RE2vamotTFgLD9TEFrQQqTY+K9oojd EJhjHereladzzS7Wk/sYOyKBHH05GyutzGzI56UEcYgShi0PJRG36vnlRC0tjcB5YQ4EDrLI2XPb UtzuhfBmR0olSOzc44chXDnovKkqnilIxgWnYOL4vcCqKQ2IUbFbifWshtDtcPOFRbvzkQWY62Xa hRbPnMc419bl4K9bgXGBj42EgUmbXOhaUYXIGMfMgD3ECbgg7THbj19IrXW9muvHOXXpchK214kB URTZkJk1ZumqWijdEWD001MicBhnM0M9jeDEGPOypguhBBFra3yAg5Fqa3kY3iWAzDNfgIIFKawQ APes88PoXjzm0nHrrdDo2W59PgRqJtOtdxLoKxRqDPXzfXYy9hd5RgYeZns5APtYhAE+lXyTCGZ5 zU7HmvL1od+IBpHe90Ou9+p6Y2azXcYJCbpFB64tyIL6cOJpT7VSjsj3NjpP31nb8TVzfRZ+bGNx IcBsMLFCRY0iHqwQNzFCScIuGjk+6gwnRiN2bViL8Ji+AFiLF8sL0W/KYksFP3avXwkQNgEzY9jc 7eeh39nsmHe307rxqtvnvD0lq4gwPPhM/NdkwxGDLjzufgAuHbr1ltqKzItVnhWLFAa6XibTzjKh oGH/m4Ay1XD///rUlT0uZHpjrv5hzhE0RVVNttHMiz196Nz1Xn4U8ErBR4FmsLeymNQvtPUZMbG2 smsTVmNQ2tB7IQUAHBpwv4TFYBZwQ74KjYidHgLMGCx+6qjzzUaGnWmLbxdKdW5BsxpNvp1FIPlP NVyxO3ShCM0+Ofux3wVzQqqI5qN6Qgr2yh2Kl6jI8XMvpzmcCjRP9f0D2J5xA4H4sLrkR5dYsGP4 4Th4sVUxKbrsIR0L2g2DlM0b030YfRgiLz6urhw12SVEWKQmLKM8Kus6crD/cMPZ+oKMH/XDbp/I fgtB0YBxpncMEGBGXFShRTqW4CSfQ9cg97ILlpf8Olqxwwfk2wMHiig1SH5x9JechLky7YLLfd+B WdL0W6OdZZjGYNOnOvVvF6QDgmky6R26egbLYncSRf4Q9laTDVts12R7YsrI1yHaE+u2Z66Fx98t QG9DThENbRQE5AKwfbxcNHc2c3hmbhD6otJCWXvmrQcT+JPnQWdYcwIwOw4b4QeyYDpOGgLYYvd4 HFhVyaGVJNFq9xgiEPTQtH3Bo+LDZ5JbCnB0jycjPiK1dzW+7OJhFvRTYpow6XbQjpGgvHSENZDh dgi7LSNOKTSgMa6hqQYvAXBRNBYAaw1HyMg4fGBJN4YPDxc8CxVYFPM5E9CfC7LCD42ES7dp56Dd 30xN43SCWEdwxYCXYibXmkcLjOEleiNamANRiBwLM12yWczPPlgDpYIrEQJUkFDS1FBCEVNcjpy2 nVbuaBxlQvxxn/P6NuR4nBh5VRApFKaYRgfQnx4xcRi4bh8nmbrYybRFHTBjWJMgB++SpQFSMqDQ iRib1rAT6iHRG5AP9+h7FPfch9r470ikO7pL3mIiDBIwB/wYbBnORQJEh5/YCccp7/yvhVI8vAP7 iAExHtR/0XZpDtT9J6MNPyfEpWIH9coUo9CDy8n1fxfe9I/p/tzVPvOnnjzLEgoXYe5O2QTS6POZ ngsp4MbCP9sC4upA3P6Ns6tvb2Z/ZdlEJplOvfB988A+PFhap8EGNPeQRXt4m96rGbczVRFvG1vW MhNZlDWFU3CNGLRoNXcV3uIsJjIgYaFMYYotLQgxIpHFFoVoJ63omxvT1vJcWsvjm4bvnvngHrRG koxGJJqQNAUh41ZQaTByUPDK1CXJHxCUPwFlE5ic24koE31hWoo1O0pKSo80S4iPQgKIBjdECHi0 KLCHieHmvnNPqsGkmXVK3mhqxeaikAp8oZC/LzxW0RKU287ey/CuIxEcKxvNgmwbr5h9AwKzNAxL li/YfRa6hx11biiC7u2rkTEJItFAY1Fnn329186EQfmEPlw8PkRbt456aWkPA6gwVBEbCCJGLuqy hLCCfn4nG9Ia6Pqpa10CLHd6dqhO7iAOEyxuH+JkYskQIq4yvbA0BoTQ9lQ61tZRl7FxPoq6ehFl 7QUA8bfyx2Gt9vZ4kxQd6LcEIGU41sc1NYSobXjNunfiTuhbpyCtCAmIwLgdq5rYsit9vnhrhDUn zglnSQTdOMoU7GWK7NnvrdQ2MAGD51j9RlS4bhce4Hj61xhnDeun8lacka49UOiBTsrhAIhFhBDU YIddPfO6G8znvlb+O2UMjYtBEeLrnc5i9iD2gvQ13AFwQ/T2J16tP522da9r68Kk6HXpjwb677LG x1e9uRuozkoRkZw1hvxlRj67clnlFtjzdK9DKJlcoJnegbTb8DzroLWHWhrnpxA5u44loHqPZ99Q 4fXnBLe7XsbsataQ9zbTD+xmPR5AV0gLoL2rx5ZzfqBMoDAvaiwZwgha2e3E0L6odAOKroffEwUT 7+uuaTI7hEXddoG2h1gsVA9p0A0hoYTjmbPW02TvU6WXZDixEQBNeO9yXvYd39T61VBREKYkQYS3 paPe3ihJjIlKRISAkvPhp0WljJFCk0d5ddzpyDz93I229q8oTAmPsefF2cH2SxcaBaGHYZ29VJHj MF9GnsXnDy0L0HyHv8jzmlIqA5C8w8lw0XEgPP8eympX7j49HAwOx3ntiJ0NBBohIaDYQxM0WZzM DTBNOKeqDlej1DV3GCGtYIf742lpNRhSQFm14c/9XrvLR6bdL1jkTRZiYRMY8w3T0S1/dAYypdEP 9shSKkkA+MBkNK0ylNSQwDUSqTADQIEQEQBEiQMHqDyDs3+Y6aRfnqBKUmKKAoUqhpECIklqKIJl wPEkklrMDyJ9LA8fwqqr9U/n0uagSmG6RiRSeYufFp9CJpOyRqQkDxfQuUQFeOK8w9CE0m5qZkJt CJgQ2NDWCBrgNPQDANjeEoFX1j2yJ8TC65cInpM5+lE25ngn6WkmSSR08rPkk4PZRSxEQSwqrvuz +y+P+jDt44jogYnqCQSpgU19CDs+kfmpJQ/DwXgU8/N6p5nJjoe0fE0YbvsP0EetjyMdzQcK+hDq B7A/TKMsOn/H4H9JPsgpAsYpDhw+1Xu/FRuc81MSYao7ru/X2NMDfuvqFFgw89AsKTICytKCkCWN ZGfrIhYjA5aU7g+iO4efbrx4BeivXyDwfyXfMS6q6QSOdpi65APTfP5lOfRAdj8UlEEkEPUnsZR5 k9OyVyNHb9Gd5zgaqMV3Dau9MYA37cHZkpCa6BRLQbQPgmKa+BiXDNtkhs0RZ1wS6Zo20tN6zWWt xhqEMUeS01KwMXLMsNQjKhipqYNMdyBHiYjbEadaTzWo8WiHLAMZTB6A7qNpURlARjSpfdCLR/tE YNmxuhHLHAOw+n0QYHfmP8kpoJDzMUAvydshy5h1IU+SToUamJ2J+Pb5ZbdAOekeXVf04wxZ71qt NXlKpA4HUsEJ581Y3oHfVbbadtPjvvsKskHYa4eUTNVs8/3igYaxQQQ97TEXXz7YnFmXyOleGDc/ ygetYTHoDyOcLDsKI16Rk9Ek4dWhzTYLDo5PQTqVE1QqT4OBt+3w+kak3FG53ct41TNU9XQY04EE D5wKmKeVMRgMv8/rhcCyNaTFYMkaBayQTLB0ZQXD7IGNHBDZvczCto/aXES5LiYCbJVjjeTudYGQ 2WQ1jzxQHjAqYESH6TmUETJA0XfhsRGEFmCY+6o42PbulwcE51NTNSBxvKsPDI2jBdIhFyjIHElJ yMYnzsqqKzNWXe5m65zh0OsWixQDiScDrbSHt7DYF1jzClHwhi4Q2mC2Ytqo2DgXYbRGsQcpaA9S A4hs0FXwTzn0JwTAfKZQQwNFwNL19iDfY9GjvIKOP1l8LQuGg4L8n1Yp1kyAGjP7MwiTff32Hm6q 78WsknmFto/fSNHp6mLFp6DxCFUUGQhkmada30d+sJNk5+fDlu9oeE+KfVIjS0oSQX6TNO53Mirz HuIvaqYmZgyEwOAGd3Zgc1vkTgwH5pUpEoEoWqGmgkgKgiWAXpDuy7B8vn3zDOpT3wQQlCcgheSr t1mMyB1IFSQyhVAFIkQFMVCxIVBAJSAUC0FENSixUURANFAlIJSKUhBLznxv7xiH5kOEP3vqZFEG AiIMxSUqQi/wS4fMz3wDBa+xNlx9Y1YNC6HNKhQu+zcSE7jkQ9zwjJkPMUvb52zCWGhbY4vBMLqb DMGu00EckANhTI/lN9MzVd+VcGxR03rpZjOmiPxZzFcF2kOH4UDGL9sC9al2/PcPDaIL6Ow+UK3R dCd05BpQ4kBQHYyJh0sJ+Jm0Rbu3wiUDYhjcOCoM4hsSJhbuhMFqGMuUQRrTYKAgYHJc3tRFCYEI oakOPRweiN3rVBxtaPVMS2ChJN1qjlmABJMRcqE7OUAZIUJPJPAAwghixBLen0rwUOSI+4TuBozz FO4DcVCwZE3Xv8skPXnOMdqkQ+04oQFIMt7PPUDoNfYn5NJ1QGwmQ52E5K7FlQCWekFIHRnt3lS5 bZEDcKmUd94KgyXoGDGUKAiRJb1v1N663wXsDjeSIlhHtG5QXZ4FUBxphrXoYdVvzDU4NK+pl5M0 djF0mlsenBuOdtwzCLs4rq+MxtMG3eLBMOR8i58+cIJUMaEwiIeigQSx0991FWC72fgVp+suxGc5 DlpBbhxw8oSBZGwMg+wcKXIjxaNiN3oIUq8HIcHjTva1r1YeZcE6GnIhmB/cPGDsAujwlAW8OuA1 oIxIrqKQIDY2kAIggwzl5YJ1bKAiDQTbQNg1JoeS6XrkRyNaS58GuNBsDiPk5SW0e8rWCO8xj3gO fdHxHajXg1p4cQof7Zj4LI0bI9oecgRpoaUPsiha7difN42NrMMg2ZFMckO06uoR7x03edx6U3CQ d1/3BK+PUdcae/bkqdnwzrg5Inbgm+le6QoADuE5ktIHTMA0+oJT1EnYTy5THt9B7Pk9t/vS2/s/ j8g7JD+DT06hSozikkpC6OPBXDVBT8GTRkODDp5HjOt5+LWK7rrDNDjjJ8rWaMDSzMlNSbNxG59l ODeP56Wpremhli5ieTB717rFtyBODghWh8BNQkPbZIa3NPnM+bfcw6Nc6uqGUaWDUvVNvMatpLyM 39uq+ODW3G9YZmsLpBmskoC1RkBsCDxphEuTDRRB9YxIOh92BMz5fs57s6wkI/9McPGQeSgadjqQ JB+uFiFRiaAWhVKaQYhfeB3ofiTUQxQTFFNFddlBMrSFAsnQ7A+jg8/xmHYZVxdYmvob6eB9DU/s KIgbgbrJvawappTutJOCQzkO5OpuFlKoqPfF50uGy8aUI8CGh5exLuB/a/TYFkYO1O6LTEoWJkvn kDsZYeHphHnqhGN60uKZ78PPiOP1bBaaZPRPTW88vg5oUJoGlKFMXU1DuJHcxsZ9YfBAfqtb8t39 teeDXsl1xb15PNJx2YRYCrDr1qbLMYEu6p5tiN9aGnB48jYLPvKDg7S35kal9npx79C++cvVP6Zm FOMp1jXR6DKDXUmMMhcKXyXGWaiUIZA33i15vxNIJKShFuz9e5A665GPuETsXqvUjbxuKd9ehYGh CZpLDGeb6EitQNJQRPp+RLW0AjduOF4CoR26cqSz+iG7WReJiSM681j9ajODkHqXkQCObQdxx2IT h3nVIzJ0XFQu79s1ssBYLIJ04W11MmT3srozaQOOEHr9E1IjIqEEI7STwMmqcPFwvkotfDACRArS DYNCXJXtoP3lCy8kSGtS4yn7VnlSMsqYI9zqacPJcOSFgexQxxMPd1Y4HkfCrgrfuzhB/NDrMajt qs8sGZ5cYdJpc6MOUcIzSAyrPEg1I24wOH2p2i7d/d2qPQ6CHMCH6SQMIEOxIPj6+vUHmxA7Rfrx VOqVDwKI6sLEw0UhLAxAVDNMOjC0VQfPrGQiZVaAnhgMkJicVQxWskiRBBMRRARFBWMoWsbMc1jH DYxbDQbGsMzilcaCGxyDfPtNFERUFBVE0FTVQzUTsiaCZAxGPYB9sFJMi6H5O2kzcYooIYpCWqZJ SBO9D0WjVHTy6BRmZ4waBKT6YDEhEcIMQEQUAUAdkz5sH284iZmtDtmI0fKdB2TE1+9GkSlCZSIC kiU6GGCUIVJBUREFMDSybgMImIRTYriagZBoa8eEea6RoDTih8I3PJPpk0u4602h4mihoBCkFgAe OPz/e81UnHwNVEJ9gUjI8GrLRUONU0YVuIhfhDGGAyRTE2xusHIfgMK94GrNvWRIeVx0NYkbKaZs Y26DTS1RShSvmA9Nnl5JI4fIcNkyQtI0QkU4YHPOK6ys2uT+WKMPzJ4MGTm5TnPovp0DR8n5fIPk SqYD8y/F9P7T6QXoHeEr6EDqU6MkZ2y9guyG1TiDr2o95oD4pSgKEMeg+BFpw7saz38oGmukkPaJ OcNtu8NHEwstKmEsic42feBvvqeJGJCIKA5CpzIEStJJsST3l+oPDy47Bz1CiOMFAkn3D3QGYPYw DSLIn0fVPz/x0/HP7/tDfdcdsD4J+RtpHEnxmkfRsubgePmcdkdSJ79wkgNVMe4cUzRDsnTOr0cb i+yE39wnpfh2hoSk7QO6+jME80JXtCQyU/CLycU+KTrgDqL+yeRcNeGYxqE56IjWliMZGH8RBQY8 H6PqwREVEGFwD9TaXkFIxrjRodyhOZK84MIye2uPeaE9fnCVlKkoJa/VOMFhIBK/Y+JoT2dnA7+3 81eyrwnQE6ilr/TDYa2xQcCMiD8eIEBEUHpwkSASjZ93yNa0PgFgkgkhtjIVBGsn7mENyLDgEmiI pdOqDSYnE/c4apAY3IdTdhkNMCg8yIg0NthGpPIS5sTbbYC2Cg8EduTdy8twDPiNMxyA2LGMTaM+ c5l492XlToMQvpI5A5J54muGLGk0O0YNRaKADE6iB0pWrYixtczpoLmcbbWpixGKnGitjSG0EJoM RchebLyAmDhZxbXGOcKYCmlqSmSqVpqiqpmCnkajjjbVuJScPeEkrdBzJnXQMZJPtQ5Rkgf3/0Hu P1Z/j+n/5eR/vTsE4H9JDqOfVB8fAsvuyd06qc5nzGrJ6g+M9/nkL/lSWNkflYAiFCRGqCpD3nv+ s/Y4Lm2G8hwSB7D6P7BXXcijSCnGYIZBXR9tHr7w056VObV0ihSykfYMNPJJjvCgDI/CauCGlDjf TE3zJGgyTpNMJIELQWz0iWqTxB8J9BIDkQJDwEACw3NQFQRSRjiBeOcHgJHVG6cg64yf9RD9v3da GCWUoaCFEggTrlE6j0w9kHhH8+4CfiVAHUgFJPt8PDzFsH2Xv68A/2sI7NL6RhGC/yr9UvXXeyfX CJ5g9LTq7EwcYfz2/XxqITeTipmauoxNF60YkSgfVGJ4BiYCm0PH3+R1+/8OHmVPOcJDtE37/5s/ 1XgzBP/hNJZiFSSvr8KObUQ9Yf5/Kb92ec9VkA8cE7GdOVbYKCmUkWQ/31WQBgGIk7vCHiqf8UJV uDVNEIAiAeSBbESNmYNA0AbYXQbGRTS0otIlwNsBg17ydtsYPnVI6Rd6b5rRd2Di+wpqAomoJj1m OBIKGnXVifj4EC7M1QakFRPtrunhKO4RegNfazy9IaaFBDPgxGjMqN+UA92Ed1ReJ65Pn8jvMali oF20PiH0geyRAfSQOgoaUSkpA/4npjYMPlH23VcT/V9YPgpeaPkTuo68U+b/XDE0gek6B/xkN0eR 6/rxYkodgD2wZJqM7/RofkJPHew8DlAJQhSPmDu93byUKRKqgTnw88O2ISg1iE87nBoK1bUARMkI X0Y887w5ucap0uJApdBQickE5CESlOho5cnhJWkrQmIoK5Ji06YmNW0lTNI8J2MFDWqTEjo6y4IK oFiaCnmclIEwPmHxKFzAHSE10geELyDTtqUDSp2AQ0HJNI0AFAWxpXnNzYdIaDQaORyDxsBQESfW bNWVnoCtABwlNDo2NoxLoAwQAOkKF21GnQeQXhmAOaKbwI1jE2Nqx2qDlgz4mqFYkGEuSzRSTJsN s6UYxfNwjyDv7SfnF8qcyB49YPNggCkNtrWgtgKSjWgpkmkkYq2DBDM7TkaBMS6w5wuL0Dhz8Umu NcaQYLFSYrQDYVLO8iBtEralNHV6zC5QrjKKtt5hBVFhAYxtSRkhQRLXYmEm8oJyDI8azKyO418f mFHDXwu/NpRk6z7zTYQUxrXOQmgQOXbU7pDIGqpcExe5IaYmkYKUFIlU/K6fh3bcBzCcR9WnSOg6 kPP530EdLajVjcniZIC7QTwNt5WkxnT1x8+upOdfr6lQeyF/BqUIYQpIAlZi57xwR3BST6swgQsh Ph8ScC8+iO59nWKuHMl8ENNy/Yp7zcTHjG0ZDA26um9FUCUvkUe2yhUVg24uhoqMZo4qBjPI1Msw u21pxsMkwgvs6bfRghqyBZwOYeMk1CQL4fq64Z/u+T6eopp/dv5tj21DUoNGxaChVikpWKC2mwck BmFV3mDyZc3A0NGMjPqZGcjymshYwQRXINBQHDZqNgxEJLQSBwt3YqmGYKDjnDEHbOxigLhtWjMR NJpeQ8OWSuQ7YMM3C5cSCJ2MFjnDXOYwUERURrQ8zjmcVti5FRJRqiISCeGwERSwVDg4VFjkM2tE YjFyNc2OdUeB4UxqMJzdtYGBGTRVC5WDU3l282wyS9edRB4ff/IZ9m3JgZI67Gzq1pWQgqXt3mk2 sCABEEInpk+GLTA0uWvPKxR8s740HMEbAdz244n2GGwJ/WwCIAqgHaWHfYBJQcZDJZZNlYAoDFTP HcLmEXGErELuyqqfA/l5QBWVKBo/ll0roDTURS3/GYcE24PVLzsloGgoQoiIlcAORniggfxHzvye Hf3icrxk12p3ymQREQZAGJCzloNAFCFLiQxESm2HE0Gk0GNgSI1LJoUpaFKBShKRpTSmJClKFppd JRo0a0G0ZAicQ6FpTMgNLiANAYhoYkmgiGJaKCKpIKCAqJiCzigko21oNsLToCg1ShEBEhVFUpSG jEjpNNETSYomIaE0mJTQa0YtYh0Ka0hSutUUmJTTBRLQEWk0EYzmSoolYh0gaGnQUoaSs2kChGlp XQbG0QS6DVOlNUVTTSWxWxYWhJihTbItNOgBoSgKTMpoLY2MiQRFUsta1FQmjVUwwNJSjMtA1ERB WMYLbQZmEChFwDGJYZBHwPifqLmhyZaWJEooF+698B4x+e3VApDxJxmaYkdpJkwga6raI6C+mQIi mk7yWZApCgaUg7RTcPrjruhAHxSG4DyV9iQJ+2Bz67NGINGsRqK2LO0mmNhqtE4rA7TajTFoNO1g 07JRjTpoXERjP2ueeHxP6zoIPNkaEPZJkOSjQOFFMe44MgUm0WbXI2WIIwsobZaG6BRhwWQapdzh u/f4+gQnu+M0K4PQigqiKHCbGzIjvgANJJYQJ6yY6f+HMvmCHhJq/Re7onrNy2AMqaK4h2H0rKkd gvzPAvlYtOJJaCJoCTL8sUJEUUkT5gDUkFDFUCUFBJVETQlA0MUSMSxM1NElEkUUJQREi1JFJEMV RUNRREMDEDNJAlQzM1VM0wVTDNMQDMxElQp1OnnB3kOQ3e4bBdXVC47xiGvdyjs0M44QMS1gCIJV GYiA/7Trchc0BFDetd8TMlkkQDjmesz7EQ6tijzO+4kjHvNZIUBgzuyMzQjTUaju/8vuNo8jR4ZV /fEosnfy4poxxPlfejsyDemjgDpIAgiIE0kozGofd0a/MZS/SNHuGwSB9PYQ8SAcdQ4ioz7vbWBF UV74fldPVn8nEDf6yHW5n1wMGxtsZX3BKr4EJTZzYWh9/OimQOOw0eYuyzqCTXkvDE5T4cxV+cXD S0z9aYMXGXGuLllnuFzFWdzFJ2fNWU1eCUO7+Zx24sJk6VN3bxhPeJPd5lT0SS4e9A8/4/vnV4Sc vALO5KLD6T7dzoZyiInPaEMHDAaVvJPR9YXt+XkHxnJA/tfLlK+mOk+iEnvfIkpoSlrd/HhtG1Eh o1u36zHbhL2TeE3E278x43P6I50TU1UofokA2NbWhA2fpRXdo/mBvWUxAzHVI4tDBpjboEmE+WoB o0iOqaso1jGklqbze4QwW91TEiJQPI/ngNNo4hprycfrrfXJQfL8p2/YIfL7kVQ/xaVF/e4Isi0H zTkJYYZJzy9mvHuVO6R7RIJYj4yRzJthOCwcm7swtxMwHLsOg5AxRFJsUNOUPrR/dgBxIFLVzB9k D1CUHzf4QYPMdJBF8QgTzcT9j4cTlAPN+Ln74Bz9Gx+J+4eK+L4iMcP2ACeTPt/lK1/IVtvQaDUb zV3WB+YeA50MMOKzMDJqx1+d+Z/zj4D8PYnuIDM0+z2APpqkOzME7K94gYbRiJmJ4d+PFRSvggaQ p0BpMVYiIAPEZLoTtpMUaET0w6iZRd5HYgNWPC7khMpRk3/x8qA/UefUJBGSPxrjvCHZ9J3/DyKt oPqjU6vnLFnwerdNtIdxeWY+wgdZDRd61C+RnR/kooCfjDw6+WFL6AbyBfj5q3/5Vs8/ROjPsT5U UES6xZi7uRVkphhuMCHa2rCVqMCtWxw/tqExNEDBB9cAJ5hBOJIp1/OOZB3qc7tnxFHIGBIDeQjJ KS0Y02qgz46yj0ZI29JBql01+01Ub44qeEHxCKcQpYRyHBuLhvIaepXvPVksaTTcaXBRzELyH0QA /J8uH8H2ESRYzp/hw5ORoknhGzb82Q5tua2S1YI7jJw3LhlwZJKDE/o/8Mj2IhpAvG8TybxYLZzK JtQYkWZ1J1KPDIJPqkOgQ0hoClmCldIaWhoRpA9/o9vYH1Is3IT/ceMgegPGEkow0NeFAxmAx+Iw ek8gSIpYYPDsNIvw6GOPkMJ42OyhuYowRJ2p2Y+tX8UlACJGjpUEQNSSNUlMoSh7AA/BBAlh+hYa R5jKHQqhAmeWiGUhCds7kFFVVXvPtr9SfJehkyDiOJ0kB+nr8DzKIePeenvFPxCmj0H6ySmImZkg mEH0IHz+j8cFJAehZRn3GhKCvyhESpoKHFmCKJANInoHmCJCx9hdJSP4EwR36d9B31LVYh1g0v3Q AGSCRKB/ilCgXIQ5TqU/1b9DvUw6CAdx3j1LxExsq+B29nyUeWx9eynZIjED/bP7puBCuhGy5ECS UHQpE0pKNQCUn+DqU+V9AFQbPrH2QCUqUjFh0IPh736yOUalMkfxnyhHza0GxzPPRMy0hKSkSQ0Q fFv80NRO2eNKMQUfmoOLZnNCMDLAwDgp0UhMEXvgcQaQfHzdxwTTERMFReu0l5PTnIMYgx6eca6w Okyflw6aT9d6zXGj0qDSfvWD0h1u+vE6S01xKA3m4s8wB4lKBKA9iAUIUwG9bMiooljUDgbDfnvO GSFaqrA9gfnwQ00G2BA/Ayce2qMbGMHKGji5jofvgekBfw7vpEeQMMnJ+M+TYNR2L0gvV7ipgkj4 w7fyqMp+EHon65D1XgxIM7EAU9/0E9geGhjATHeVDWAa1BE9LxGHzSaC77cD3Q71sPSnhiApMBdN jlsmKqYctiCOEIoFGUmVShoqg8UwyaeN2DPkSkdaIUU1SxMplnIPq6/qO3+dPMwXRF1r1XK1SKAS E4j0kers7q+gGFw2ZDTHbGtI+qoXzufVIXzSNDLHzsBuhk/GuKKHs+CIMheFACCaTRVQgiBGjsK3 TVBjQpEOPKRSDCI9WJBG+5EEscl3HCE4wSIFQnE13Eekve01w3uK934Y6etj8eiEw4GjDwgO9pzg 5BmgSQKqQhyUd/F9JdfC2e3uq0tL6XCAFBfB8P8IUe2KGzQupnMYQikMAt1MsLNiAMiDb5Q9xqe7 ZD5WOoD6gAjuGHhECb6AsC8HwICsSD4hMpP5g3HengWRIBfGcdu6rnGbM/DvBXU0wB1oI0gZErp6 +PHtZ61Eee7+j35rPPh6Bn38HM9C51IlhmwYgUO0I7LCRaigmstF0XXSDv+2YcgbHB779tFBNP2U N6173jpqdO/VeoFD2+DXSDBxIlBiTAIb17av3yoJY99KMl60uT3li6R3tAShntWOJLZIHN3UgLro cBqODxT8enQQ8+kiJOnBAQ2hx8carsxJevaR59Bt7PYvr1PzCIHQbJ92zXsPYgPcUgMbRRCXhG7n ec3WuKJooSYagqOxTDm8uaGCxaFOAYjs10gNeOxGudUrIOsKdWcmtbiHq6z64aUiA+MH1z65yZNL 7ig09bJfqqYh1e06SmEVZuHI8Zr6KrAShZ7dP1nXumg3Ek+gnapKXXqcET5UjPxf+RL+aZT+LC2L HFSOvHR3Im6442PC0sbK4Mp9MtkhphaNwbGM1aHZM6Rc2MkBDOdYDFJF9OzxiMugyxjYIjbFERkL N5I55jvMZMezhzkWhgtOjpNaqq5BNmVywkUY2VltdYyUlG2w1Ag3lU4agjVUWXesmdQNDCol/zAc uU2iMn8T+Rh9bDLAUl8TsvlMUZfeYKWW1ijrCScqA1EyFU7a5mkTj65CHqkh6J50OH6ezwvX3dmH m1tp77V4fDwVPpTZPmqWhKZlKGCiqCYkCkpUoaFSlb8GRDQLUUErSCRIFCRKBQtAaA0oNMSFIUMw UKUNAsNMwyDQJMilIBSsSgRRLEBSoUo0gpxXpCnSyoDBoUm8+Hy4Pr30OWszjNZ+5yyFxKfoDj19 Jkyns9tbfAm8JuSS/o50nfUk19zxiwj5CfV5pgIL71gtsG2tYpglD0nb4P2r3674+wwwwyMI5J+o lFiGCFBpIqQiIJa4cX1jfvbEMQkH5E9wHa8y0qHEBBIbLuJ3+eIYmKIiaYImPbicp1BMr64TBlqZ hIpA0jQaSDYSjDBQbFnEtje7Y4bGWpJAhpm06omCikkGTTpKFphYGSCGiJbRQbWIVYp2XMutAUpF aMwSacjpEoNUkQUNJKjQMyszFQNMp+acUElXM6oKiFkZSSaoiUSpKSmKGlhoqDbaQxK4wUC4tFCT emyHevnNLoH8XqNnzeFSFCtEj+nyZtL+X0dhi/QprUvt2LaMHDJfJd7lDyFDd7kz8YCfZEToeb9L UDBAn936MDImKiGZDUroIJoCgMGtUtJVN9qxVUwbGjDsgfKGAfzJ4Jwu3BzjxDg7l7gK1N9iFMiO vKHWiPRqzPPHu0J50i6YCvtjhdjuk2+viFFHYe3PYeFePSpa7Jaw6CKvOwb3Jx0Dx9FNn32Gk9DW M16Txt4xp6Q4l/ATp+5viePZBkQYK61Sw2QuLntbsnThZ5Qs54lGkTpeNCYRMAZ3cl6Oy+b0aPaX N3IKoh5i9ap90gAUIR5xcdktQhFOUks8px87VNzsVnloMHHlZAtuuQT852w8Ot7RT1+xygmlB+60 WUxVfAfDm805APlChTRoPNAz1XgH5vGeJG+nPWRm0y3HaOlTXFGuWqlxm1TU8a2RZGTR37xPEuWx /Q4wY2gj3IGmB79Q4CQylo3qYVd2HNCQedleEudGWZIgO9gXTE3jjEN4lsRMWjuvGAa3DYYkGyhm F5DfU5SuaBubwVw1WQ4yB+cUBCnxIOgOnbAHFmZcQLdpxhyYiO8PaR4pEn1hny6FD5IXzEAuw8So Hr7DpzeukoKGmiihqRJpdog7swXbpwtjnDjjmXQVaM6Pam4VFimSjIx6nz6mlIyKARs1KUbTl/sR PVoWt7l3lVcB43S3/IUKZBLTFoGFCwpxYYNp/rIb859Z9asC/2Pfk+VFFV59slV3dzMxKRFCkE67 mjuLJlozUhanSJsEPtQR3i/RVA9onEhqHEqWkDqLYdaTAwDEF6D+rm/m4MG/Z9lAeYQ9XaQoQ+1a D9eudqwX7Ni4HOQ8J6e0kMfkYcCa9psnkb992mBE5FYxjvZA4nA3LNHxwjQ2MO2RwHxeU7iJOpEa GDJHhUr23Z5BrKYKFpSATTzb4Lxqe/p8eRTHUhEAG1rJfR6D35Uq1p8O2MkDbNXTVV1BeRkR10ls qS5ZoZg7xqkyXVbsbBERxQw0mZlhm9dunfZXPy32DgkWHGkINtp9d6UGRiMSHRMvknSrAaWESSKr qGVQ0FGRFDsylAa3rDDGAByS6d5o1EoXeG4RVcw6aSakiDyGRDMMusVMg2sfEogmy5uu00b5qUMC ExKgOvROAbZgaWo5qMup0KJwBGsFRHePHxgMPSR3X0MUbh0qV5Nu8uakjj53nqGSSI86yYikO2SC aA8QYCPJnuqPMRg3Cwiqcs3kxvCGntaI1EgcabWNDIQG9QLJLTYbwN7u0a5xVPFhFWKoUEYD9mCB 1VCCTxZwcZ0CCscB1xJ5cPwX1YgAUgmJAG9KwJwO1JRKp11yg5hNhIprbi9pBNP6DgOB8DvqQ26o frBHQHCzQH8NruPBoAhYu+th4QCSQIkDQbQmJrA6ZWWZ5mxtqQhoRI5Aq6IcJXLJlMNLk2qEFkGn hd9ksS0DW9rgm+jYqTvbUQXdt5uiD2fsJKgIRi7voV+2SEuToEx5J5catm/cArIKHQlmUgoN3bmy /bKLsLvJ674BRfgYGTHWdfa+c63wCmmaHBhzdNg0wmpSdKtspimxE5kDEeTNACfJD6EDdTzJGox5 nNOo30kcMayIRFVWINImh41bly4PKMa1WDiYZaeB+W3TyZR54dkj857SDfdnl7O7bQVJV3Yu7lWI GJmyxuUNR9JuUaJST5k21M24ZChltnFOdSaUQwTBaYQajMsTTmby4xzRBbJAoPHDZuFBtBo1CqxM cxwow3T+PelVzdorG0QYjeok3pgarIQjIEbe3gpauGjQmaaimW10YuHhwNGMeOM1AmnXmRjbGN4l xKFESQETVOGnxxVWiAMaSM0orDT6Ksqx5NgcGZxyXT5nxjw7PV4pKXt7CKq8HkHNoiSPYaDxEzuN bnpmErl9HBvGQc7ODK23CJqMWNK2MgH5j2F37mGg2Tv3RGSyB7Du8tjWSX3bh5vNoImNIcXTsPEq VTNHzJ9UgfQeaj4b15uMFRiM7YNRQIlyp6fMHL3QOFILVCnuZUeFErkbY3AUERQE79dM4O65jsKi P8KG056zthv4Q8Q0vkyvNe0OR1P7d73nBxehE4T0Q+lIaSAeYiYh7RD3sEQi1ECTCNCCdwaBXsPH yPZdgdQfXy8TWyh654HlBkSlPhAFhiUJFHUYBvewL0wnEoe+DtltsLGsE2gKX2+SPrueseCF9ZIv HYTx15oxxLq5qccoDg4nkeGYUV/BdqCI8E9d0aBppRAKTgKqa5NU02CTLbDLjWyPFStD+a7TfgwX xg9eL4we4CGY5dHA4GSI9DGrVQq0wsRIfcIpfUloeElchwdTb0zYDQcYBDT0kMSVM1XebhHDiG4V OncyGOd4BzmHTShBP5rB4kxEJFAQFUkNQHceJDiFJcncJwdNuEX7PQ5BPmfEgcYDxbmiAOZTI8gm PLKrENAlJggaRqJCEliiGhMsZYstoJHJnIHjGMVAkQxUFKUUhSUlNIeARE9McD3KyYKNkWCe7Sk5 spvq8rpxIxBno+NdWNBQ8vWvmPYnY8wd5ClP9k+mSIPxynERDGCz0w4P1H+JUmBz6L7HcpCVX0y5 cFio4E5MliFObPWRCxSzSqVYWHda6OGC4SkrN2OKmbqB9n43N+Ar9Q0b1l12qFoapiCSlVh9HWaW YImvPzVYXV+/2z1HsNQOLzZMRD5Um52aFgcUh9mZ2XowDs+lqTPtgbHWdAh9AMFA0kwnmBdTYcbY lMZZVd5cLRIGruJ1Il58Tc1Fm4kxTZTarRq0ZgJARCBmy2WBQwJxCBtwbfXgieYNC50UdAczx8/y BPMDRW43xVQfaIxtY8KDcGBJG2BQnJDTStzFuw9FDgP5ZImJaAPBH2AhpGCBB7OgAOBIYdFJdIse eHVQOMIHteQAEJIc2AdhvWgSWGTBqIcx0A3iQRhPaBlPxPtLo5jww4jdJSLGqyKl2JVRw6DlSnEA z15X3ywsuLQclig+U8mOnOkeI08pDgYY29uutg64XWFbuEFBKU5ClxNECnk3AV/klSh6yYhpZGXV wp/W7mU4IUqum2cXWptk4Gupo4YWwlypSrvEngOXH+fiUYe5wZdkDgfDknkzEbhq8P8HBsbNRubC 83cuqs67xVaYcDBjSgxkgKdUydgbNp3S7KumXrvZhQFqpIjaHrCJMNqpNMtCwR0DjxpaLCjWpCAN FlcY5WPQ0UyLUSI2iyR1j1/tDK3c0IdNkiRcwtE0MWAmZAHVNQH7RSubHsHWxx4P9twDIsHsYQ2Q XK5kGhZku8dmZhNtASrBKqJi841mTJbCYB898bvg8RVoYYEYn4BZj54YKc459MZzCsnBAjVVwiaG NWEGBAIH8dppRZ7mfJVP/3+8C/tfKf3+Y/T3nLEFg4e1UzLyaNIUqOCyEneMkHVqQi9r52ZcIPIH AyESfMh8PdWCdIRr3zco34UQtCGDTNwMJFhXX4DjFgiXT5ctrxWc2VivWg+fScoQDAQ3VkmzOaHz YKIuTlHsCMCWGKK2+VqIJhB3suVilVVU+cHADaUAzHxZinENC/okN5TUDEAUNIvf5vi8jQkSNNCJ SESRIxUxEQK5gUZ4yA/u7P4b7U5caKEQTqZUWO8eH0h2nnlO5mpjMshlCiiaO4wywJ7Z7UU08ggt BicTiTS7Bsxs7QSwVpz2nnGJORSHJ4RtGeEMQUNHCuY3wwdO94082XS04yWSgKa7unFxFEdsmISj TVLidAUUeuMkwxQJMxJUQE0Pe4eLLRFJQkNCTBhvjpJZRDc7PDEpDb1PfNmhY7A7srTQiG5t38Tz CdvMxPt2haTA0Nb9ylTMNb49+3J8WNFi9GH3jZPJ4WMZ8/97fypg0ktyAROe4A94c/YxuEtaLGWE Z9lUAuVVP8OU/GniaVQ2NDNSMJd2lszBXMsZi66+g+ZIANI0fO1foQY9zhwjjgm8Y5c1rkGIiJog kgOFeUteEPqgdFuzuqHAGHe6kxH/TOMls7lebR0B5G0LKTwevjOqHdAcR4Ip9CHgePm5Qwh/f/hd 5dbFoFRc4pcJAwXshHqvbxS/GkEltJHDXKTPUaQMsOixtn36r7ojzdpAjyEGd2dkH4mBZMlTAkiR MkoHDyu39muHcO79RhLEe7/j9L/jg4RTyOQ4Cn8CE1ty/qwwxpI6/A7F8ofwby92GQP6+AzRyfPN JKfAM2PTJuRSoemNkB7v0apHSnJQyPToQ9pgrt+n5SqQmqb3lBqjA5ylFEojBJIYPUelD1fOG5pO p58WMoBo0JgYC4tiZAxKIOBhuoMGoxH7+cX0HKVpiN/FoHDJMWdtqVYO1ZOgdUGGJDh2H+XzfpPe 8j0z2pdhCGvp+bWrMwf7JU9w8Kge4JcmWED2j+h0Z8fro/9WXhlB+3g+fw8bHzZ7RFRU8WZRpjWR jH9T09ZJoao7CyNMY2OSu2SfsjGQdkiG08abtCY65SvqrVtVQFwmRMstJ6mSYMyjTFXSGpAZWNvo eP+bAhyDUeNXnHTJDfCMrSx0SIaxlFFUmY0yRvrREZ1NWYOm8x/ZqaeA265KQGzs0jeKEmq3Uqq3 aDcV1JO0gVtrtFMwK2PRksn5Vs1rQQj1ZE6OQliaZjwpAGQN1aYYweLHxiTMTUB0aqra6ZRny1Ez NEBakiHlYEbISBt5W48lcHy1QbGmisQDykfNRMzbuNgNyRrhkejNswWDUCbzDHkmTMmOJN+Ko7IP bKw0msNjShqd4sHprBj1AaT3CXUSg04jVdKjxsPSzoo2NtoOpxuYNDmYWsKVpjJGx0Bg2x3IiNQd wUY2NkgYwE27ZZq2uDwkDLCjUwtGudFRWmsbbZArIh7hgVQoOToueeagyHvg70hYhfJD4WxGNQar TGR7GQxmRHFMaGVUIU54A1iaWy8bzTtr0zKRjUVLbUPQ1QuNW1ahg03lLLGo8dLboMg+NVrWQ26c p4tFNE4gmog5g893TwnSmlXYwlrPJqGtFGm7otsInkJhGMRqOmNNsa1yD712CObvNtqQyOPUOaRL HB5bdOvkcax5QpSEbimjE0WIqjBatFoiY7ntbmQYNEanDVWE4s01m2UuirTpiE2DYVkZNQKwpC1E xtTGnCsVpBjpWCurRGoRWGhvRGxsH5SNaarI8cQ8bGxttUs6gZt8f59jtgBGloyYpHk1J4XhZBkv OKN+6QrWqTERzbkX/lw5cmlPTmSmg+MJ3mCDcXoMRjB71aMHPM1FgYxRxkcbGe/hjklY1ZpdKUDS 3gM9k5ggbvimJ1pHeIIPfkI/zf8yzSO0IAmRj6CtOV+TtCPBwgBKdu0Kbe6G3RpsY1kUkSh5TQxU KMnBSAVBiFrwVBgg+cXxZC1i+U4qGsIfNl08lb7UMa0id1VMXZc4LhvSFS8ix0ol7lFELZtvwmwb gfRGSZJQHiSLg0BrRoH1V9r1ioCoWJqiCjzjTWzU8VbItFBUYyRhaLVYmnLd6cvnwLDi3WHT1Pxy MpvU+u6B4aq+5C/e49sOTjkHwNYU7Y1Qwq4qgWMKTLvnIXTkcpgptVWOhUhxYXYxMe9abzel+LXG ja2rmbxf3P6yCQ/kzpmv9ouVOiSxbQOwHKFF7jrHFVUPEvu/wQ589F7E5Fpa0lj/ZhY4XUtYxvmQ MwuoLTPNIO4b+QI5IfFbGtr6lPrDkhy/nVp+H6SjWMeOxjGRRo1SUIxY3WykkkbwVCxjGFURLSik slkHJgZ5kQ9IGlMD94IyAd/HDml89feaB40n+DhTqB0Af5jmhkjqVySoYIJA7JjZdUemy8tINJtk /NbmBC1g14lxFAc2NvBHFdJ2E8QUIdvE6EDxadL3hlp8RB0PBQsI00IbSxjGm1AyrNa5zHsAwcsK g2Biq3EhKAwTBtGJCYGvuuJNoLz2BviEMdknNDtojcUDeHINBQlBgHEoegLySyngTHUaZJuWjVkW 3Q5wIpoKQWhEgiJIqCKioomq0GIKAIaIDZTTBBSSnSEzJUhTTE0SSeJv8aCp8vhuVRhOpoNFC5Vg 2zgYaQCGymrSr8LLAZpnfx3gT5R+iqk9pii0CajC7pZPSz3sOpEH+x/kkkgL9f9WY//uT+uE0GpZ IeAJ/rof/jLf5nf706zfjwJNvltqmqL+SwGhr0vsiIo9x4nriPdnt3Pd9R7gHc6uFEyX6Nvyn1nm +A9sX6A3uKinHuNN3dq6aINgu/zRewKDPf9fgbLjx4+4c58b32rEQTcKK5blyRNapSkfdUY5tFX7 DA6APyx7P1/i4OfvwBk22EsEJnX6lBR/H6waRmKie1IE4QI0ipSqUoTRAiUiFLQoRCAUiH1SrpQK UQpQGGASZEaAUMAHJQ0YkwVVPJMhyHhziE8JAh/T2pAsEYkHFwPVaUPn+sN/LQL6w5SS5+tgQjCK OJORTIdvrNY1h1tbeGBZcHWHVrzxScJuyHcSFC9qbIG0s7pB17G6u4zCG84FB4fH1bDtAnatyFPs hpSCpoWqKSigGu2kHx7DEzBN+QP2wjpQ4JBU7MqTmEQZUVYAfYkgbAa5geoilfZA+6Rxnv+JBNWN 6kpIWkrbPr98R9AWNjHFIVVU/U13vlzAknQsD8EODHhr0xNBmWcXDUWoAXB+D+js2eQvX9p6lVNl DUAdRKU0fPFRs6Jg+UqaA5sAaOSNCaJQrUBmYBokOSkPj704VNTBuKMZAvq2w1Ve+6Vs//Ndtnj1 UnnvzzmHN7/pxXuCU8NsQxuVyh1A6kaSuTNsJctPjJ23MjtZOcMnZNFUIdh7zUiD6Ti9Htg6f8g5 TAMR5RHnpDhmZggJgZgOQkDoNlx4wnEFOhzqYCAPEH4JHHfKMkK0TPGB8k0jEvyGxqdjmfNC8yR5 GUoKBK5VWEiQQG2CP2JgQK1KK2iihp0GTspyHDtRBRC822MJHMYSNhxESQPMGgOWiYJGB2HBVIUi UcwYpapC2FNzCYoqoIHZMQEwVRQ3MBlgpSKZGPPAIg48KqiJqEiaUhokCJWmIkh7AGqLGGwaioks SZs3MmkNOoTk5jFBTTUJRRNFBJow3CVkgpH3xieGnscOUxSU2yeISk5KFJSNBxA1kcAUMrRFTQ4t ShEDhyJw4GEAycssGlaKTvBD9SSGb4ZLk26bzCmnRoOqExgeEocQniEaUo6sCvVUfEB4VKI1myia F8y/SYqccAHp3NnTwYHZCcOIp68DpSMjEop0ilJkeRbSjWoXCdSuoNIyGm1weg54mCZzIQz5Ln5B /YEYQNkBGBMMPSh6yQyOonrDoq97B3J2gZtvwbTMRUMLJfkgQ1DQuhwzpCkdIU0DSREmOJgJwDi+ 0MAH/FzPv/MictSPnaP6hqfbEvvjALLwTmI1fpgmwA9vrc5wSFIoNVMiPr/8rmvuKSqJswmyHrHZ 0IaA9YaaDnoYffJTQHSA3nu/Lhyg4u2U0RQFJSJqDIcu64g5wcriV1G5nGl4h0TqTKDMENiikSqC gUsRjQK8ELb22+nBOoBTlIbE9UBzhDcuhBq4lbjB6pMhiQOCdyqJCNsQmdEBqgjg3Ii8SA0N1SDZ 2sDjzMCsjTe6CO5o6HPYaO6d4OqQ4neVaHUtBnTHNoyfAIfBKdnzLiOREJMoaNPrIbsuoU6Qp1EK mpS5ZtBqClOjlDZzvzsJhADVgi40CyBYu2twLBJNXFcIaOTXTklSRGwooDZA5GdXJqQb5SPIGoLn GgnRFDopO4GzyNCXkJuDwzp6dcDu6E6Ebm5/Eif2JCPVy2E4so++VP8gX6gPrKQ+9C4bQa+yOM0j SMR67bcE5r2jHZAUFDSoz/XiZBw7m8Ih/J2DusR6wjASYl+IAej9Cn+D5P2knbMTpNDRrfVtiMTF yzOR4v23FVI/4zYiWmCUkgmUObcJS7/B041Qw09X2efQe4DdDieT/ogohl7OOtR95ey7kF9UCUCH vlMQi6QHEgUolCqUUC00CUIfIfUGGx6+8Px/8kN/WqwJBoCXGaioYmkqKiIxCfPe7JSftQ+8pPvh jBOZsAUhA23lz2pvdhEbh2+4dt5Kfe6mH0KIfCqhCPmkMCJB8VPea0UoMwUGECfFsjohSgCgpNDs S69iPyKIeYk/6HtV9z7oTDIEPlROSdfieZnr0pVUDZUD52+67Id2TElVY2cmTVZ0GwaDOqXLkMFB 9H4k9B9YaiB7ypXrnkV4vBN+XOGX/cMkSXUDmanlIQs/um0mIMFUQEUhnYnhg7sFIx3oaKCSdIJT SjYych0gnIdLCSEQVofKEQoZlTYHYDhifGaTFpoDbUUfNGk5a4cxoxCasEDYdzppECkaQpRpA5vJ T8f2kPoCSJCapgkNBiRI1thX2R9vupJu4cSMBQtBRSsw/CcUH051BBH/1gNCtPiwfisUUnzwnYV9 l2PSUMQUqHYTVRApja7giAsDPolWqERgoKojKHwgckDayZApoDiMmoimIswXKD5c6Z8onieRfUZg 5YvA85aTnPzuw0nzwOg+J+icty0hL2XkAeuDCChDlKbWKRqoB0SLwhIHpni/6XMjLm8lSBcDNmux kkBiBdsIpkNkf1VHoZ+rFMVKUdtzvwUHH4pR4IYQVcYu6+QqG+lEwCRSkyoPvxO5Iz/ozCfL6dsS mY0s2P+fSe3y+ffh2SfIAxCIFEpQEkiAoCgSZoAiKDjp6YYkpHOwfLZtzvOpCISOrAAiVPjhDR6y cwtY51AcI9cjERAQsAkUEAUjUEhQAHvOiAQgx8rv6wA997SBeUhShqRTkNAcgHQJpVoEpQ+hUZyq 7rABQ9QEpEqkyU0sRQxMkVQeAPydBEmPxdAPTDgh7BPR+LtTD6WKIlCCIoYmRMQfrkoUoE+moPMb G7A68Q48x9lBRPttix7MeX0QZk+RVispdH7gFT7yeVkSCOQygKHgSyfYXNg2D0w7ZWMwREH2pzQ9 1TSPn+C9cMTG7cjlad/7t+zRmZTNhrW6PEIfNLkI0UIFNHxwHntQHcU+fAckJgfHzqpjvd3nwzdT g9ieXyyTPxnK8SMKP7scMvnvCU0JaMfCymlpL5nrxaDFjITLKqjaCNNQnyjKXLFrxzHrXncaQ9Mm e00QOjTqNkeToOXPXBDaKGSipSCCUonezRt++O9hsLLglHqEFCQjnUKxobAdihhKXliXVwDjDs1g 2+cpThm5bOeVcW4Rg0zAbBlS6WUOExjUYMJDT3uTcNc8U4EuaFSOUEikOWcZEzjicMmiGubTlfi0 aYmYeCAMhTpxiJqQy4h0XNwwG69s5yG5Fnbb51psDDTRrktbeOC/FOep1OEc28CmCBiCIQMmGOLw O/SMpoTeU+xe+aWhSeihJgrabQeD7NcyE0OGY04ZFGJyRGGMoE2jmbEFiUNwMWtuI84QvYBTSlEE MTVKQfRYoRDOlvQXCnzAB28JuMMiQLTDmGICw9kOwD4l7Q6iEYmkCB4F+wJIMVe+WlGKgR7Z8cFO OjqjxjIkkuetazMbJqqLOJQO/QD7WoJgUoApZqaCr8uPzVK8SPGy7YxHbqwHYHkocTrYKNA9ky4j AUB2NNAXLBiHQHtZTxIuT3QAQMq9XlRFF3WEyUzFMDDEExFTREQOYJXXFn/voL6Ov0S9Cw+4axqH mA9WUxPGDQ9yHR+RVGQPCv45F/1b38M4Ic5xHMamA9NubPWVIIKDx78YZ7HSEpKIgf1MPhuYBmxn kJdRnoNsRH3SgbSm53OAJkJqVICY+/xCrwQNo7ehNX8e2g0uS5IFBsOydpHpDvlpT2nOUoiAopqj 3kYVKfKTqHXae8XE59BQ8x5luhv/9RPzr/3giKWIRgIKqkiRSgqSopaooGCChoVaB5cAP6LFPQVy MyCxhfaQxUH4akaaEspYppS/7Ax1U93kvwP4bhcM65jAEz+6EHejtIfWntUZGfzjAanGWSglqQCV imBNCh3A9Aig6QdJAfjgPTb/OIlUDjXwoDa5xuH5VNYnNCRGScKsboFKy2AysTtcK63C2wtljoMc YgfbEz72NH5LqFINyffifjgTeMgzy4KTh4oa5GXYPWFNbxksEsBjsH5yXiofOOwO5707vDECxxRC lpKD8MhgPyTWIcRq6Zy0NKGYImgH8Uq/iYRPtm3DhtCBwfAiTsx3hubBOgsmNfglOP2sh5giJPmq 1KAqMbhCpJ6e24ABqw+L2fxfbtjf4+p19ej/bML6/0pA/ZYdOjgsahUKqol5iCZAM7UTVR6Z/ea8 dTvPFO1NZ/qPzfdCbZkyw/s9+5jnwGXJP3ZznQxhthccM9x5+/3mDUhniR8GExgr7xkkwd062vdD Wg1vd1jI+JE0x5xcaxtgO6qwpJpfQh8ZM1Fm+hGWpMqB1U859HvWC/oYvu+SMYgTAIMxPnKXv/j9 C/nABLURuwERUGWu9Bj+jnmz/vmogsIcD4PdeOXUUFp2u6cuel6EyzDDGDW5AoxVKeLSRWdbBVxt 8EQj5OtDc86W/ORGPjDRW9S1Dv999+YV6jGa3bhLB0/XkDIdrphWuGIbT++dRJvFDVZJktJEY7+/ Dz7cjmY2bch9WlmDy3iY6SDJhzWrjBrhpGHSpR5vKce/RO+gimO6CzDePeVIUPjKqA4WBx6Ta0OS L/vN+fHN9zRJsnIoJV5HfeCP6RIY2kGgSYi78vTXJzo87yePq14mRNj2Bp8JjOfl1hBqaIRIt4b8 UNOwaOmYN8bQvRYdLXYgHcp2NApxteqaiXCFpCIocjW/QODeZJxzC44MxjZaWhBibSWTz7IGYlWx 4KIDRBoZVcU0wzA7bmKsVVFjjUQms1NdRgXEJrqKlVVKRtbD14vncIu95cwzDQnXIHhNBQzEVd/L 4yLekkbag+wTk5ETFGv4EQZrCan2VqJA7u2kEk9v4GQ6wm3bponltA/qlTinYwSEM/f8GPVA+cwf 5/7MvIP30v73c4f7NAxijy99ApgEkzBpMoh/51oM7UNmGP1/ohasVGRRwwoUHy2lT93msD35eZph miWJsxRGYTrf9f2UehDxfUfooN0lnEGGdc51A8/GXEiHMr7fGAY+fxCeyEDh3baHbQHv4Vlye8DJ +KM3DqDGnmCAYBgz2ZgJFQeeQf5B8g8w/1ShSCzJQUVENMQxNKUQkRD3kShx2c3kauwzOB7kOwn1 Q/2qeXw1RBM0UxKbGIxRQfnheEnmDq6KAmKSJmJgKnQY+mBKPyW5xy16sz94t1ommSqRlMk4zWZq TUibdS1DeTmihxufjW9WP+GR6Ny8EI92d0vpIH8SqPqih456NsyLHuzhwnNBaxEMk82FjDY8Y8tj Qua7ry9o+087yNnyih/tQnbSgHueh1YHdw74a+4+PwHkqCnxGpnJgyz8LCKhoyawrdDB1yOBigeZ Caiet4hnnFBpoYnmynRwi95tsrBvg7e7wVMohpfwoIINBMEkEomgpXtu2tHpQaYgIMYbHF8FfE17 UwGEg09CQlImGnxRfzYHzHJMfxd+jRCkeq5R3Ns+OvCImWZKYgqRKFCepvhA6ADJ+1J6KSabd5Jo Z1KZhhMqZ5Jz5HiczqfXHN5w9U0gUFULQCF1Pf0Hzn6N3XHMPORcYGSV3weo0GISEd5yV7GBXjYK FDwBQawVQyQa51fzB+s75PdjVd/iYk/0z23rcPRdRQGGiibEs25PVeRU/x85wLW7QZtNAxvuO0kD 3SXfWHA8fZsIzgmilsg24NtiDsPWaQ14ByR6EJT4+myrEg0wqQyp0hP0T3nzdE0GHmxGz34+F9HW Bh7EO72lg/2qLBXrPyTtaUomGNUAyBCwQonEeO05Rnl8hygd0rHR1dWFOgrKe2AM1QRBE8ntDB3X JNtha2RZ1RnmT4M0Zn8R57391HNFD48tr6DJVmN0ci9l5oR3olKGkYkaYlonYPN1TWpKAyIFUVOF 0aghhAXqeEScGTRMoBq9HwBC0BYYSLr3FBq/92ZYGEDQTKXGGGLOV0BwxWU9wT1Vq2IFp4bef8Hu xhukwNqCdSetJelul+m8llTy4NPTZ5QaxSKJO49D1/QZrwww/9s3aEszem3t6HSTxT3J2JCmkWY6 yi7QuymKoaPSJAjRSPE5a7UMWANLNFEOWlDeTbWCrtP1UwRAFIFDtbEGpFZIoE+I0PbxwS09vd7D H3s9SXsPYGJ6LzxZGTXwsZ/H3C8cx6bGL1mz2+Z+4YY1i7LGVyReyQahoY1P8IEEijedxFBVeZuI IwG1y/R4j+36HCrGluSpZ/Lr4RsHcTnxliFKR1qqJQgtkaY5x95TWfj+1QgiSUoioBmWgoKAoEpI hpGhaKaClKFKCJRpSlKaIkoiSUZaigZVJHkD5QpwbwYen5TH5M19sxfVnRodUfVGiiPFqi2Oc1XI i0kVRHOcOJW3OY1nQbhjUhQ0w+9wyxBQWfp1wWLhFMNFUUrZUSuSUZB44MNtVj5ypm4gg0OTTctA YRUQU8iDnakYqlyFTlrlkKUKUpaAkmQYIohCltMTTD5HaYNpx6c2nVAU6dLrxzNEEUaDRSado1Ju ak5wuw8AqhKBjmfXjomuY14vPEcRMlM01BsFY2MRzBzmlKadjEXa1sbbGrvB0cnONKMExjbK4zLK o4mV10MmOXKjTMEoEFu7jzapKCgtlTQXS0MHLFKVKxthoYoqIiiCLYsZiJoqoaXlnm1VEQ1QE3bV w5uRCZ5lguURY2NaM5CjFAhAHIOzzvMnJdY2tEKdkOQhSnifDcZJOd6+OgHg4xbbG04tHOKZomhh giLs2cSTQUVRFUSRRtrpYotYI7znAg6ZMJCRRK7mNwMoQU3YytNFNAwURMU0mziZSmal27ZZaO7L R3agNHdpnpGqSCOY3DhjgWtARRi4cHERJVIVcyYPwbFED6Hsx7GfQYpI7k22t658GyGCafWdpo4b WpRopuKZKNVhWiJgWlq5Ofg748IppPJaKJ8beuXTeyMrExAPlJKJiiaatFtR4uVbY8spgFNMArdr U0st3ZliMi2mjd5bKXk0s0yGZE9SeAEAYxgCAuQhwuDwziVPUCEwbDj2Qh2AOL32POD67aUApAzA eiOwhEiYh9xJyB4E+4C5N4M6o0PAWXJUyhvS2G0Ow00F5HA4Hw1h/ZVBzJPgHxdRy37JF0OJESwy f5A3MFOQcARKyhCwMlIEqExz6Hu+vo6Wu/248jbugCgpUpCiqQiAfMx+7y5gTrw86SofUZG/VjQ4 w401KUoBiquMTEuIecfDg4GAilOto0hXjRLBBLfc0ru4GRzO3s3Tc6GHtQDo82XA6LvAU0EUywUQ cChhi+vkI6Dly6dOlRBBE1FRNE1QE00VnUYIAs7UMlHidU0I8yhkZJSF5/WJjhEwFBVHjdj0OzLM BocxkoOxEdhAww+QyiyjJqEFHIGMHdMuWxmGRFYOqFEmI3DHDmNtyNDOoHaknprB0jR3m6R3m4kQ bJqCYIIynSG4JRqvIWpEYDawsIN2yUUGVpNkdunAwy7Z++QYjuUN3xU825WxoJtngSaXxDuh0tRH 684+73cfHDCuWZu4ReB5rBpeRuElJWJRyS5Q1045BDvMg9IXpxyFPh+T+XJ6z656Tqd7aO+T0W85 Bx9/wDU67DOO71L+zkp72PSB6wc5d+JklsbL+0gwYo9QxbvHy21q184Mj6wKUho0gVSB9QvtgAoI lglFKKCIVc4ELuPi22YfIu7780Uj1JmsWNa01WVauOPMYBBkwcljLLdYtBoWzyBdirvjaX1yD889 tqyHa1Jog9WZwsHn/cPyh7JcmyhR/d4BzN4kXYXj5TncxdBUF+V7Tw28Tc1B7awmHDPqFGfQYrxB J54FkKgLoZKP0HtqTl5UHxZpyomybIbZrQ/0lGvDaw63CB6/V2us4HsfViGNfe+pIUPUS+sR17Il HAkcCC2i1ZsREqGSYNGCNZE4QDMHmUfqrz8Qwfana9TDOSlIKWgsCMaNg1BD5sQDQHcO65e84gDA 9ozRmmtAdX+BU9SG+o0T3e4WVJyxvYewhDtkaAKCqVppENQagMqpCpSCPwGj9lVKrpZxl/M2hJsJ wY8KPMWN1AJO0VucA+aeEo0jSkRQUsQFKUFFL2HRiQ8HDUn1D98/awUH3X7qd2SwWmLbEEGxlBPT g9ShL4oj6bPSR7ruWTXqMjtM3dw0aiAO6DgharaA759wIfCAeyFQ0BSBmRCNxfkyofeIO+miTqkM bvLC/QdL/LIwREYmrEqdaGL6MVpCwUbKxIm94C4fyaIxGP1NOHQHsxc+dlf2fPsHIvGfqPWmGyde ZLMHRB9uLCT4nqCB8p60iLIgFHWfplgGhDI8aKNR4PrNhDYOzEfn96ng7uzQVB2JtCXsg1Q3CNNy xETMGMOEfvH07q/bAfUHI7fXB8Z1eHWiPPLHM1jZmr93PWGO2wl2gOYDiW8+iiwZUkOamwPmVz0n bvvx+gf3yKdE6jADOsn5oOaPcc4w0j2EUNMQUSUTSFETBJMhcD0v2QPKF5HROA0VsZHw/lv6Q6Ab weEgHEKjIkQMRSWrO9AyQrQsyMUwhQWssyhCo9ZmoSJ0G0pOg0JTL6uvS7i9oeMFASMJ7k6ScLRo RTYkOlXAc1MDaASWQ9av9hAcKPVCH1D7oVIlQcMyrgzn6N/kA+vd5Qc9eyyPh3vWNPWKp3nqU5cR QV8kvCnmkiCkYB04QDvMqcq9AV34I/U1iTHE4qzGPuVFoIke4NG5uYQcH5tLkl2gHL0omCPeyNKU hASC96d3vgPbyg9r3XaY/7CPoU7sE5hyBzlSARgwOKSnEjSIGoPVOS1UVRdc6LepPbmb9wniuaiJ aCgZrYzLQUDodPpJqgoKSg5KeeZTxGkoCCaTYzyE88ylDSeJNAUpQT4TCRN43KgXzigwQ0QECc7w 1yA87D4DmwERBEKJp6is9B7I6TSjERVS2wESbGRcEgSSJNsGWNhhtg2YWmgAodDacUEv3TKHEuAE BpWqp0aKN4TgGFXA85STwxmgKEYlKJiSKX3e2PtH68mI+nBKlq0UJQMos+osOJPXvCB8nd+ae8L1 8QRaGT2QJUGOIdXhp/WdWjmSiJ7ZBB+SAkL51Vo0VnGLYyuCmijZta0SQXD050uuxW7yNwsgNMjc VdK5KMIVvERDtbySQ/BueKijpjFpmDbEitapLZTAarczttHNjmJNw5QTm1tjMFyyoDYFBmMCnGK+ SRkPif2T6c/p815DE4WDzUfkWMt+RFCv2tuo7ysP9B5AIpxqBt1GS8flkvBBVu5/yPDQvt+IYb5l c8da8plhCtzuH0F3r07/5mSIQ691hEIDnb3yQEC3oR4cJJwyKX/B/DIkER8OMWRAMpyHO5FmpOvl 7Z6XjE8yXDpUmNocy4NggEhaVVvWVWD16QepG/gzDhPKZAhdGaXTeBKmL+0C+0N7364JBtE8cBEf IgkPUXDhagOHlDO2D3gN+Fue+aMEEAkbEWo4OoXEBZaMQD0mZiUf0lgOiwHN244swKju7mOOuRTY WAtxr2hRDjLXunZD6z8m0eO/tAVy/1YFtepJAceKw5bsbHTldk+FfZXBqASKPy11MebsOHnueBbp o5EWZkPoAfBAstRKxuNbe+jvTIcvivDlowbJEE8xhyFMYi+bi8aKVIafbcRWDR7f3dzWTwPf4dHz 8sl+ui70Gr92N4igZSehCZTIhk8sdjMFJ6vXFZdDWiAZkWg0/RrXGklx2TgzXDXMtdVFYqlSJ+j0 qJERMQREMiCrATekVccI7LyMsZo5t+flbRTbsNCdJuWp/rcsHOCUVbNg6zbFa8UuXBlMMymDG8Y+ 9z5exvDrtAs5tVLCDGnOJ17d+/ObbwZeZ9dJUGh89ODSumVUDGuudmOZCybdZtJQdELp1qmm0C/e 4uiNhAU1OAhIjiDU6FnDw6rpSstZKWFYr2dyYefeYaT0y9ZXUYVz6MjlKsbyVN3nCY5jq5mUGOFn HECm6HVGIdP3wYKJGMvm4rCqlRzQx2+hltht2/rjaI7IGcGpdmgOUD9/X+wXoKQC+yILQxBIgeHW 7DqUvyeBONkNA+1+47qUPaGZhYm8HxLnr3AQ0WJyEhwUHO9sHJMp2LLhrWbtm5TaZGVI1BbZH4kE jGb3BbYbm6iT16jbb3l1WhbfV0XDT2rlzXk8NHYeo8BOpHakrxq9w54XyxEHxij7cvnE1Q57MsBW sVUCq7C1b7pQcodazDGwMyiRXKD4tSJTDr025PstFxZZEgj5JcCXfdM44wqggSSSPFuIraHt2+sK CtuvWaBsgug+QH8QJYEQ82e9K9omsWSECIJDT8IajAQiApCa5gka5TiaAVAkQMgLUmnhn9QOhAGF 0PGNg98mPcThYUWAljhFEM4rjsHivn6iTiDFfdc6ITDhGMaqUm1jvQ5Tn19XPTcZup1mwR0sYgNu 0ASC1nohkkw9PIdEE5KrrS+WTbEcSVk9cl+06macOzhscli+Xr1TNk+AQ834xsOl3zjx0TeSBw0e rDixDWmS2Du5NE1F0y29eakiKSihi9OlMKMc3h1DPG1bNjc1PhcvuxSq5vPOnlvHDmAiBxhBkspB uINlQLQMbcWQjwsbCwYgiMDssWvIHuWYNwgM2yz1s8p288nWZdOAOHZbogAZG6f1MkhnH06zKTC9 +SzCcBG0nIksBv0mw6NkdMscbLBwXkD0FAEUWohwdg9nC5bfiw3JZw4C3uIKlwQ3SDikPR7zCzdK VuRj8ZF0OBmusEsa57xbe8wOpj15QphE8OAQEhT+pECHiC0FgDQdc5KcBTWG0aTJSl4cC8wK8GF8 pNrnSzwYAZarkuI1W06JL+z3yQ4koaIhc170HY1K6BK+dzh2co2TtNqYBNzLmAYKBcoYhDijJRDK xLlsUkjkbMGpjg22JquLnpcaye0NnlNG8lnr2iEeheWtH0D3qE4z5+PKGObGlcmSwqMMXZmpIO7p 06jjVDCENaq1y7qMg8sqBFuH6x2cygCjQwQJkKUkSLQyYZyG8+LvC8YzhrRxMo1uiicJtFJvdmTX EKRdupEEn4GRQkgveC8Pojos2l4+nh2pympmaJ2k5B17O3mekPbA67wSjQDZw9zyvV58uDQYzTNu sNOM77WZrdflkKyM9VXKQeaQcRPsGjsTeoFEUYM0wBUEaDsKzjtJ5EbH3vmzLJzJRyspqQz0dsON J82mu4hCChtRCBR6xZnVwWO1GmgJJy7K/DphcKvAAXYzaBn5W3zfcqkBDssd/Qv7ar7WsFxZhmye itjsZIBocWL2Geo6XvrwqrLkFTXBfbo0amfX2eWSJ5qpvNWRkp8DcZhzQ4bCz7UHdAbbqogi6f4Q lSjJ7pfMt0RgpAysxMJCgfXntFRTrIi1t4yBt4D4y+1PuUfoo97PcTKBO1I6gYYL4l+IIiqH1Lf2 DbZJ1AXREkkEkeksd9FzJmrft1Bv1cR1D0WAEL7nFgzPI9U8CKw4Cf0fpcNG6DhwQdu51C1qQYQl vIFzKiPN4b08vpxHnF1XPGHGG2UNntkCGMBb08+Zs3saeoeX1TgYbLC39OOhGng8i5vdS6qnFTDp y6kOCFvb5goXA2HE6rWe1OMQLDW3zSr9K3ARhM/dPIzlh9hpyPHDh0eLWXfORp8YUeSHVtX0MU3j q25x5vT1qc5Sujpk75OfR9sJ1pEY+zUTx/l70WgeHqme89uz1OqYQ70cnTo4wYSLCjFAtQ4Chggi IEO4AzHKIrjNGVesShjbf+y6Ncmq9echbtVemVQ6KJ/7eRRjx7DECup4N+rXOe/lGn7h3p0RTqKI gYLXziZxI2CnswAkotVAyFp4oGqeoMnaVEyTkwHrb3Fj67nWIUBpVIvK4uPfNb5WmBe4hAgAfimV CRTHWnNZtMDswPMIeP7qk1hDQ2O0IjgygYBCGXJxGWIiUF0CeYLvICj4+a9NZzBMlDhe+Q8IT0w6 891GPbEHHy94aBe/ZGG1vpDVz2PoZVs8cQY0T3mIzDE3HHJSbPJdHA48BRO7mPrfhwa9BzCmjIGs hyBOER7Gn8h+Vz8lw8qlqlaP00xYsVSiQ2CYCZGAD9n23lNkM4aT6ID1z4JHWSeyOIGrzdgGj0Bg +vx+3pyGhae2ewdwZmjMG8ZSE+dHtVMwb2zbeoLSYI29DNtBq/TwXTWjVgVkzRmY7mOTlrCjiOQC 7HsmjWRWmbXOXnW8YBpK3jL6QvlNns+b0i4eAnmIdeiS2FpoIGt1FlpBQKspRBMktxlkyDZGF1pR ANoKOcSXlC4UGZwtbJDnJVCDjOXWDdH89gMY1yLooZ5+wP9p31JsduepAOAnRh21O8wlYEw1FEhD rj09pyq6M2VgalaU8YLNjQ6g1coZSOZIoFGbKVEWALAsTF2TvM7ONDoKQod3fRM9faeoxHTJJMKa ayFpD+SOE6qkMO+SCE7qnyOhnR/jOoJ+75vHhXtn3dlYmiUPP6yMaIuxu5NKb7u0PU6YyuH6ULh5 xVnP0fFp5XnZmf9drtfR5/LCPTmS/NMScCWoLdyadYiiIuDg7bYNInlZA0o7RQExePgJ/EevzPbv A+c4sknRJhpgpBbS/ZRTCDdZz58eTkPP31E9qYLOT0mgK4eMklc6c22jhBSjrUkEEu2NLlfjfXxO +l0X1lwxLVwyEpRgXtXCehQ7Kggp6elYowKkiIUdKp8YQrD4aytYwUcZSaqjxJkYRNsMawaCoCnA dNGg2RKkZB6CU10wyQ0Q7R5RsxvAN2YCcE6hHCdxtOGO7q5vhsbQ8pCgKPVOQUm335wd71rdyT8T sfi8uzSbuORFElBYiXRY/odgJZKCFiB/a94dU5TojQabQ1RCimc+wS8TXukdYeypUVqLR6sQ6QBT QNNLQvEbmjPXa3oMidpN0iT/p/zMT9rDf7uNh/I8pKo7rqkGiPuj3iC57hzhqFc++qvRpO8J7ZDE CRmg0JCnmML5Jr4SupPhBhPplwaL6fO89xEVoDTpd4jsegB8/V9sp0j12EkixG9JOScijNT8/jpw MT7nHztwJgm/IOldlUjyROqgzopGUGs4xZh5uA1J7WTyO2vSmRQ4oGLagWwpUnP2Ym8VOzC/Qfip mjNjyPFSIgpqomYKCKCoKAsWT+vufO/XGH54AO4AYBrOx67ChnjEylhOsPhAqBcA8IdLgbJqDZfm r85Dr5Gn0Jqy2kKaYPjj5/yu9r/TmRElUTNUBFxYEENdAxHO4YU857xwDv/KeAaQeqClaKI/6+AH 1qR8bJu8F5jDB5M4SR8+GRqcCCaSZKzoDpA3k2gPiqoqlDeaGkUOW2L3HpMw82bDyhQLP2xtwr1J xce2VIUmEkedU+JCfXUUMfQG2nrMr/Rgjw9WPVP98nn8fHxGldSZOQ19sqmokEuWipCKSmYpQiYQ IJCIpSkiNIGloUiX65XQtsK8LkJSUjSlCWya5AaKHcynILmMQLwmiJmHkn71w5zgD2B6SxBTRrWI RwyO2QjZIIEZiiHbEB/LhPpOA6AaSlO1ESFJ5QOK4oOEtCtCPlUhcUXn3ndznunXRmN3ApapzLJj c+VrdJG3CWzkkwGMQ+Rdhnrv86SMFghLx+3/Dt/47mJ6nrxjvuui6n1tkmZuwbOcjxcOAaoag0eg ZE6XQKFox6BgsgWLNjUR0S7gOEsZthxgJiSE4qHCi3DWtmGJ2lrN6RWgK2xhR7zQriiQ6UNVbtjy zLd5q6hatDhohoum7oZTQEy6pRpsRNmmYrmm+NNawWmiPjdXGMxz7aQ2DDJNQi2tVBW22JOE0WDh yBIFNbx7gtagsUuDzJXow03khSKTewyGimmb3oo7m8aRHvhzhvRAoxsRpNikKx3fLoZjQhts0EFN FVE3jajtbEq5dJaQNpqLTMZWCrbS0MIqEgRFiHTBOIoLJB0IvXoU8goK6yaeLWRjCMQZADKEHVhR JcLFANEUQ0kxQghECnBBFA2gwlRJAbYOBJMlxxd/PcfI1R7sQzYNmPbxmIHpEgaHkhQGqFdkKC0F 74w+DLSWgjIHxD5Kh02h5DFLFNeGCBeKE8t6P3wyMOKEDhj9GQpe56QJLChE7miYATdPEtIPeBPH x7O1phd0MSUwpKP3ARUIMK0RDBo3yLYlUwyKahNYpENJsDjv0SenhlAfOPh5aDLrkxzl7/6/zEA+ 5+IijQ0iPGrHef92E58q34FLJhOT6s9gaTFQH+ny52ePpRoNAEyPaDNvaNEGlTssjITCO3uw+eP3 ePuNdE5/BDwgtoymBSB1jCumC5YLAJsDnu/E6dnonFqmnMaYwRKYgIlYnS6NAYJiF0ladAaXQNaM H5Dp9H6N8/31P1Wk9E0LQ+aKKU+cIifWdgJ4QP6fkNcUvFKc4f7IXsZNEm9kixPGzs+8TAVQNHpx 7Ku0nKRJSkbQ8M03gD4Yq65QnkVKCB2cEf3Yph0RnZVMP7xO0/+fLza8fR7VRe7WyGHv7X3F1Ugd JUgFheVbUqoq6MbKpTq2jNDh4pozjrK3yTSJCDDhn4Rzfodgy06QTgjdVNCROV5lxY5Ua1X9D3FT vrHgKdxCm0KNJPuB+yQ1nci4YY+nobQEB9IKrkWiccbe+N15suBdyyhKJzZ70aurP0Mm2cuvfBQp jrrTQc516cVM53wsDDOG6tL36lwup1qjCPiPc1enci0m2JxxpjjdHDOSCbFalaltDe1g3nmugztH yqXG47QBLbOETXRGnI6Q6cKBIWed2+pkEKu8DgiHBt5uTu+Z5HAdbSVZTmNMdIlw02LgekYEHLJi BAtjAtchEmdUdVAgampYWQzsrwxLgXl0b1ItajRGDYSQH1M0tRo1KmgIeQE7w8z0ZgIZIQl6EzL6 gxkjTj44BLwmWwfHsH4gdp2e8cdQbqIMptECtiWFlgdyJl5JEItI0FjIkIqHAceDVihCaxQ0vW1+ GEzoEEnGYtUfR2eTquF4ZnPAO8yD490OnfewWkWYyHTCNHUIRN6zrsx5mZ2cHnhcaArVETyElAR6 BaxTdPR7iPdBJgNguao6oiGo5vCB1pjpGnFPEovk8iPg+TweJEaIGgqjqFJEx0Jl6FAhCUJHSgeI ULonOsGNMb6cPNoI5FLaVoRThAqDJYHjcVHZ6dlSKBHXeu91QIx6cQDihwgz57XBOgm4eHILJmM+ U4A4CBHnAbqRMOaia7qD7IMKGmTtF2AzFa9rxktFqnXruE5MDjOjxsFK1Tru9+HLbPVlaXl+TOIo itvjNV+MzesYtNdyFHuZgYbpc+97siJSsSCRcwyKOhwUTIrnghbF8VmVtCN0hk5ZHrSGgAgQuOjO puYDv5sgdIbSDrc8Vy9BySzarki6J4YY3QuKLlSoCBEEBcusFyzWF4NmjS8tsuFbcWNBGlCbndrs zsTdXqa4dXloiLlpjB2EHRmMNGxDOjoOzDZFjG6DqwOx0U+rDs5HhvY7fBqzqhK1fDqIijfH1dOE TSt3LKsTtbD0tbDMINskWcvRh6cOHTqiKoVFiIgTN6+RVgyRVIFy7gnC5FkDRkHLVQw06nli62BJ wvYJV4HdoMPMUhzwAIPIsmGGICXI6RrYFoQ7NqMu6WvXtPrBPVWOyxhbzYcDotgLSzeXvDHsCI5e jtecFpmwkMYVteIemhAiBwCxA89tVwboBsMY1P23YSG+Dscd9DVpEUkMTbmHYXZiKcLofDvPfZwa 7DfZBbSmu6foHZsNjJAsNQkEgI3ufVh5QbVjcR0NVUacC7kJxRohETCk9Dt2sR7CdXqs7QfooIXe yCKkRCFYgxIJaTQ6SAHse3GhcB2pOXBGsRu7EGgwckgbYUoQkulK5Pik6h5cxowhFz5SvDqcndmm JmjEcFJUqUuRrUC2loIyk2SuiEfHQDnCzldB3iBw2YksEQJaUHcuePLSEeTbs12o4kISJgJkSRYI t2x3EKiFJ7SXT1poyY2+HQeHwYhQk71MiBAzQDhlQIGxBAOkDIhYtsHYgkXKoSA87gaiATradSHE 4HlCN4dGnpAtcqk1wRBROxDzm7kCxRKEFgKFxNF5iRG3qH0RGZT40kYcSNjOw8CycXw7DVoQObc4 6cORDEMPBwdDvrlplZVI6dxDM2yBJClSkwgkhOiiy4rJI3u7qWHb5UWWFS8rNE4fPckeDWuYgbRR nZwxEGOAJCAgEEnoCHD+aprafKhn4JHHtsAtOCzJc8TYQM1UPpS4IB9mL22Jug9MOLTgEyOOOcgO +qDJGNRsiuxiwliBWAPG31SZyGJXtOoAINTRG5gVBy++tznRwgSAs0XI1A+9XPDWucg5BsoIW55b h0yF5rcdkh62PqCPMEi793jhBQ1KfichEhj40Z5q3gcRTiktFnXUosGJnY5Ed2nTA951XIuMdOIB E8Q0a8aA4WVUGFoTjoaIDjZDQcKDFZtnPK0LU0aaA9R43Uju9m0uTuQeLt1zxzpsrLO1SxjdkDBM 6nGsG3KHWpVwg5ghyBFQFKnh3Y7l6i6ca0tlnBVAp5V44zhkITLC8c9HZXXGDSS5XDYNtqN2yCIo 9AsHDEEMCyZB+YXnjLs0JuoqbEyju7IJuA9q3EHrJEm5FPeQJUJ6Eh6gSRcJ9IIF5RunkLEKES/C +qrJlyw4YgZro628m9wRmKouw5CViZHNPVhBgzBEZXLBxKstYQGyNBbrLgT9Pls0gP7hGjto5sWv Sa7R9gZpLB8Fg8h4kIe9MtBd3DfjtfPy1S56QlWmUPDgZuGsdrBo3pT0s1ojcQXOtWYgtN5qXEZg T2ZEYoIcsjsvo44GONawO9aFtJhSrjEiCQSJ2izelofRo31x21FLIVHV6XIp0oUIPDlFDCqMXVoa iZpIPfs0uwtgEb+HoQ5xgpAU4sfZ6XbELYsSgSHVbExbYVVw+JCprUO0gktKA15FXmBhFij0mgaA 0JxQ+c0aJ5LiYVEW6mAR6ogNoMPJtOAkZq0Iu7RBqQmuYP0c2ho4ii8QOBGlDFSrggmqYNFCCIqZ sKNA0onEZlMoIJMjC4hQVHcL7Kq3XSWiDcVWikUOBiw1MwOFzJJIfaMlO/o4JjiFHHHK8OSdUDjJ znpyDoDiwe3iI+r1kKYpU6ePyZN8k7J7eOtA4IE/jgTwOgZwdOHSJwBIxCj6POBwiZQ9dQhBEwhW g2jRGxkR+hPbJ5T44LGAPGKxQgwW+p4lAKR2S8GO5Q0GD16WQ5knVGoComIaCSCZi0xkUxA8elPx x2f0OIvjJlXy7aDSLnnQoibG+ZCO061SQOiPWh4SXbmVZmWjHxPYCZC2NLShzu6R2Q5OgM2/kDS0 RSJ40R6Clw1pGFcaa0yYY1iogIzHLRzgbkTL3wYY8Y8SeNjsdIu2FKN3OmuIEtjUfbtBAGoiqJCE qOQD8xtwxUgET9grot8HAnZ2t5+0KgRP2Fw4yHYR0VaBu3aSI+jCKgQsZ9sYBLGS0VTxvlxUw/HC sCOO7cag7NUC3qIwwlNOIaTInKGxMVCsRDlNvFEpyAiHIe5erFBQhEW3G1QeC0miuBlzqGsi7PZu aq2dLN7XGIWHC9BezPh56DkjxDokWSzQOp7k/WV1BDXWeq40JVSiRw2yNkvg6T9hplE0NJRIGg9i 7WN8scq78A+9IK2im9ENRvrTzgBCWhDkOY+cChtVWwBMX83dw2gJFEC5DSoHAJZXy0hG8vmxobQM A2AUNgYNgQWTM0FmZx69AHjL4mkusE7zlAESyVEE0hJcnELyOA8xoG2y0iLLHU96HNZFoaA7B4D1 8RnBGHxYMjbkImSx1krC3JbllNXbPIgeTQYNz1zw4vUYXeMOing8TB1csIhVBROmLCScCuvqskh7 +RvDn4XJYuMJzbhUfsyd4FDGx3WF0dITeNqJTseB28Tvpz5l3ceTxnzMTRyHQUA0IeOrnz13kjvn xiZilJGamSa0b1EYDBZImh7IFaANT1gB1RQUBQrS0g0flgDJShpRWZBoFoUJhS2QDSJQ0qFIxABQ BSNBEAxItFBTTVP35A1QuScyIVEoFIFJSFDSCxAlKhSrBFDRSJQ000lA0jRpA5LyBWIChKRIhSmv zxmAooaGgUpAoApKRKHkqGIRClf1eMSSvJPrjELVFC0jcgRO06iTrqCq4r9+JokPmao1hZkIJR6o VjaYVGikDlIW4JsaEOcJQ0Ujw8Z6gxOIzQA7ytC0BUwi0IJSUqUC0TFk4fRVCj/mmu0OIbgQ/CQ5 yaAFx8Ud6NYEyUdSENk0K308VinWFC1EEiEhpHL0blIrjsGxpDgENKCesNznr3J1No5cznLuKvCr rrQ5D0I5vs7gsHmsIfEQd2+ZV3w6k9lnIwQ3k8ql1zL3eecOxubQGOAv2w/dipahkpKsbuCB+9D6 /Tl+3MuxvGIpeyZ/T794TRzEUXB+FFizggpxE3urVimBn2lCU1BNwGtEGYuZhn1b2Et6LCEpMzhp zbhKNBArYcw9kMTeotyHVV3mRJCCKCTAZhkHCOBom+TUMO+a10lEKkIcuAG48EUppIlp0aaCxGmo DZ1FUVoiDUebnMEaDWNjBJqpvGynIqmINY1inVFWNtNip1EYpRnawpBkTTlcfVuPGI6HRssYyEQx 4xpuFYMhQmTYn09vTlMnoWm8Y0c5EnOU4rFjJiIwTRGzpKtyDgXNsSG1TRGxiraLYsesc47G7une 8AqUaFJe5NK45CTQRU0+snYCumaZnacFs0Z0bEbJqxu5ONwsbSaL14G5NbZxRUaHMaC7BjjTO3Nj bc3I9e9YmQHkJooAwfWq+oepwHJj13kDsesFGYIhI2rSlsEbRDSYjas4m1iIhodfKf0ipBEiIofz mhRyeBvAwnxd1TzcZkIjJGMs72JspCDXmeEGbX5BnKvEwDpIvUaR6oFoHzQh4SieM1Qa+kIDMFCB F4lV0FIp2XSFKhSpSqUNCD54TCEKBKYhChpKQGhSgEpR7GJHQtFLp2xfLKAaTQAPd4/aNBusx2+Y tNf+ZtoGZ+eMKLAD7L5eeuqGl2KeWyeq7gYfRNurkyPq85EbGYmZYYhTTEMSxBDrQRwV/cGJKgVg YEOAH7cRXXTYlfdAFDR1i/VdS+m7E+eGJ/8rIwcwQDJQTGAmFaIkO6O/18R8nUbqnAPV7P5y83iv TDzQ/Ymv5Y7M/mdIdAlKTyeWerasoMkDQ0aDbGh+LnNFEfIO8P7XtM+L+a+0ew6CmkPyhh0PQYwS R2mI7uzWvDm4aqLuArnej4AA+hiqKfNHwy768eqqTqTm11WAi6Hv7fLlsRXXUIZkYihXVZbBCAas kwIIigy8VPkzM8RPSlDZXYtF1S2+5MLdKUzQuzRMDoDSysXQ+ti2aaSxohk4D4y+yRNE1dBD7i1M d2k6kwP0rJiXURA5Dtc8ZiCye7C27uEjQBBt7ZggXF0FZCFpShQMEmCz5Cv8xMpsd068Jh1/JrBs vRrOeNwGjl5qbGxxwFJwas1XHa8sJG3Mo44wuF0TgCpSdrxR03LkyMeDrFu7lMajFjTAJM4ehcCQ TKBNIbEvFIQ9mjY6SgKDRLZlnE1VBmNznZDNwpVNuNljkeooV4yNVt/codLExIXIze4QnOoUfU4J nWuz6GYbQuFbA+oenCHkdYdcrsDRD/H/l58oUwIAoXuQ5lF0gTEJ5MSWSJkz0gLRgj6n8sPfnpyw NY+mzg6j0I/VIISgQINIHWB9/P/o/xnf6YKnyjiHUY9h1biF9gyE5MCiUQO3eqabhJMvGYrECEQF BS6APBTR49u/0IyuwsK9q+yF7yrRmOpaUNu9+Qox39AHP889GbcQ7jQ0RkHGDOl2qIkRjoVeYUTH 8FSajYfkuyQ2e3UPZ4ny+BMMA+nExErjbRCLqE3kVDU7mYfUHP7cJP0/pUOo2Yf+NHhdC/5VSC3b aJdVEOTLDvwHiYnaI+v9yEhE6NpduWaIoMDzEGaj3kGEjk1Fkmvr/0yNAeSqOpOwBZA9fl6PrfN7 nDD8bbaT/VsE8FSG9UePGXdpAtChkEScsNSMfKq60AwEDJoxxrZvCahR/4RSA6NTxJRuSfs9ocCi L5/O0vtI6oHVneeqK9Bkbbkj0ID1isIh4/A/d3naKCPx3AJ2mCBPtc5/QeeVIPxnnPgGWHwDXUZh 3gA+t9lDJDEy1EbdQfewnSIgD956gQ6QERISJSISSsyK0UIcD+9gGCfdIGhediKSFqkwegyAfogD BDthgOHye5O3dD+SQKEWhdwPBOuGEg0mny9vu9QRN1RmXyDimFx1er3vpiE+Hep6dHrFNXj8+j7g ngP8hJwCPakvjGSGsfgn5MQPMczBm5cucvqr5v0faEu2v69pOIB2oZnOVUA+t5/RXPnR9vUHAC4s PnJ9qKqh/vmwTEBSSxEUwTF/PgxEURtl0vJEQg7JoGsaQJy/P9i30dmxp+hRUe6Iei8F5oYCVFvy ooF4UUKz1Cl5bnusnql3cfTmtdQ73HVGcgiG2YX8hVv2slgepFIQFmhoizWtsmxrBb83nAofzSP2 V8A90DEDwRHDcDh6KRUs6wxZSiKzKMrwpFhjoWjK3lKNyK0AyqDE3Adp/AI8/D0M4ZXb5rgW8DrN HZ9KeqYUGjwLkK05kBPtlBql7nt2Qf7CpPLS0eIfHbfiD7cCfRwyeLRBDWgoOiFq4YlYcHUe+g8k nvDtMPzzQUJDalwkJJoPL+rWgKAIhZSSJiJCUp7GmISgyCsZQwqOUh8RDfZ1aPVD54FOUD+uDQNA Uhzhj4XSGluZfDLySqMYO61JSlJqE/zZh+3M9zjl09+jkXCOnDC/jgo5Pr3g8TS18QmhoJHiBl/N D8ZPEBeMGtsjpdLFQd/p9Sek9n1/mahSikb/+fqNOiiA9ic9cA9AfYHQ+W+41hQJQjRBrDKkwnWO bjRVSXC2uZ5uckuO0ZJIioidOMbVocEkRVRKaTLIpV/vID6hh5JB8iPxPJOvMCkzYU0pol9ZoHlI B5KofyjA0rEkSCST2+iXt3HqnoZnABIc5fv7D0naB9Hd5HZQJ/AnM95D5gP09tHxD+4MEEExRUQM jy0NfJgGU0xH9SdF7ZehgZ6ANdpg+uKV7wfkIm9Ibn4i8vApPbGVyypvAntuTn0PU6cX6vyYH88v rUP2WYSjpAFKxEkPs1KCWnxa6joQOPcSVa80o1qxjTE0UxSbaYiKB1gqIiiqt3bhlpMYzFFNEtW2 ppv4c6bmtb2E8eaDGmWK8Q8OdOIciIoqiZe7UqHbEBvVD1iuLyA7JE5nVFIeUWXNokKmKWP596Sj 8mTAlHicQSSVTVBTTfew6blkoqgJqDiRyCVkOQ+VMGt16h6R4Smc3nuogTdkCzUnDUenctyUDLd2 Qrag+gStqJcrXMfuO5A/XusPxZAsjkamBsjD0Ynd5vZsB7Pu6Hmjxj44DXV1yqhQoVPaD5JA4hRd scuZmD97IjgOKAcC9wGB9Hbv5dnuOD19fQYIeL8N0IoKKkmDqP+vs00Y0Sfyw9BlgNA5ih6ZPYiO jtM/X8Fpjl4SmiIJYRCmSopgmkqGIIEIikpqIpVi5c+rIu36BPHTxC/Pu4MQPP3e/A65Q1O6QIds fGfRBNMge4fCQQ6Md69U+Ex/R8fQO5nzMh3ye9pqIvDM5/1uYYfAENKcEXvjCJIvMj4GOoV26Ydm 6dcq9yu/b8oawYizeKmIJ5vR+FhlhuBwqFQEhaA0UnmA0N93LpKHWlaFoT4wBoKAPMqeITjUhoKR KdKxCfFHdcpHtZ3qiyMgMZO6NegM2+/PlRIUd5oiQKQKQKQaVKUDkQZCFNAfj+B+414CBnuA0B6k hDkSJQtIFNLSDS0Ac7JKAKD2wZBSByPGX2spMoRARCSUSHgjs8wvLFpCgaMHqX05qNoMz4cDslUS U0FN4+ZzRTRHZBQbXZ68yRmk8g+c1pakgvCMY80Ox4LtAD+75ge3iAtlf3PlE/5TmBkfjr1QMWZU GsqsmRDa4YH+r+taa/wG9D5Rhzig3GRwkfFCTvCQ0QwFD+UolGAmFoIn/diGQkSmoeg493dtIGkU 2NAHP78Q5QgVJKkQJ/3ffiKmpEDkcHb0P60+j7e0AXv4/JdWL0r53JrX5iYl+1xd7Hpy1xH4LPs/ STsU/RrCvnqYQW3+hB/8pWnRA6z+WJyNczJTUKGJbhqo7Izw1TtqJo3Nt7JkLTXducPqdbNU0mNU aGTplRRnTrklaG5HB6XYOl0rwM2z9xrjXDCG4E6ehJjC6KQhHGwheHG95p4gCta0DpM0TeiOE5Wi dcQIJ49OG9WOkrJBoVEQRQl0ZONYdYmpx1fZAVGdQHuUCznaDOLVlu/Ke2sDp71oOJ5pzJKKpXIc HTaONN12cowI7cONbN51QicYUH/tnAHjkYW6HcgUIIleEUYODlq8ON/xYpe8CB47xQ5iFGbWu1rR GSk4lPHcAl0HLi7XAclqTPuk5lAV1jTpSX79MxW94UOUdBzwwnOhbMlV5Fh3ndr1CwizlqyEG0Wy pTati207xhoQGnEbdzWO2grBcNDvd9FhoHtyE00taet3WsLxJoxVw3FTvOB6ZFulW62bydQ1p5ri ouI0YmaUZimOt6XyvhquIBTbszbg0IooDjcQQPfOCmMfMwu+GjbQxywfv7XC1kcFPSjk9OmnLHBn LXN4aiKLDDV1Neh/i1DTZcO1kpkE0OBxtz6LkWdi0e9THTq25oydtyGut+Oc3CJMt9Oco9Tqw6SN WhRZVIlRhJMpbvdlq4GUaIY0xy5Zsa6h2YOzdIDBFSAQIY07Bx5U8PDo0TKlPLGN4+C5SHQ1xwTD v6Zixvoi6pnuvV0ddoL7yOe7CvfM3gNxnNnLHjksLYbemUzMl4CmxKWvwyaDOSfq4HgM57lnCdCX CaPLk7CbZVyeBKhpSJNLQDIuIRJBgU8Ib7Gl3GTHg2ENTL6TXimucrxaGMzqnTlcOR3GqVQeiGP2 9XfBJ0Sg6AdC7NmmB446aYE3sDU1CeM7T9ypJ2T9CHWcuuAH5oED88AGRVAlAJTQgUqlB81/FrrT 2Qhd7/khEpiVoCUkGEhXzHRfIfF+qEO6QoA7/TAHmCrY7BTsJAOoPJdh5H3HLYP0Y9PqVU+2EE8l 3CdaPfD0/i+Bz+85gTNNRKwTCRERSjTKgHshQxv2/squ8/p92bn4Afhn/CfAf+P9mv6uz5O79Mk1 9ABLJjguwHqPqQ7/iQP/WUPt7I5D++dr+eRHgPF50R5DQyxQYnIREK5UA2BgJG+x3/k//xdyRThQ kNsZS58=