From 0338af62b999b8dcc6c1cc5ee2a2da9ef2daae42 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 25 Sep 2015 15:28:49 +0200 Subject: squid3 - code style fixes, improve descriptions, hide no-op options --- config/squid3/34/squid_upstream.xml | 280 +++++++++++++++++++++--------------- 1 file changed, 167 insertions(+), 113 deletions(-) diff --git a/config/squid3/34/squid_upstream.xml b/config/squid3/34/squid_upstream.xml index b8696750..14e23216 100755 --- a/config/squid3/34/squid_upstream.xml +++ b/config/squid3/34/squid_upstream.xml @@ -2,56 +2,51 @@ - - +. - All rights reserved. - */ -/* ========================================================================== */ + squid_upstream.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - - Describe your package here - Describe your package requirements here - Currently there are no FAQ items provided. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + squidremote - none - Proxy server: Remote proxy settings + 0.3.5 + Proxy Server: Remote Proxy Settings /usr/local/pkg/squid.inc - + General /pkg_edit.php?xml=squid.xml&id=0 @@ -99,7 +94,7 @@ enable - name + Name proxyaddr @@ -109,17 +104,16 @@ ICP icpport - + - Peer type + Peer Type hierarchy Method peermethod - + - General Settings @@ -135,7 +129,7 @@ Hostname proxyaddr - Enter here the IP address or host name of the upstream proxy. + Enter the IP address or host name of the upstream proxy here. input 35 @@ -143,48 +137,78 @@ Name proxyname - Unique name for the peer.Required if you have multiple peers on the same host but different ports. + + + Note: Name is required if you have multiple peers on the same host but different ports. + ]]> + input 35 - TCP port + TCP Port proxyport - Enter the port to use to connect to the upstream proxy. + Enter the port to use to connect to the upstream proxy here. input 5 3128 + + - Allow Miss + General Options (Allow Miss/No Tproxy/Proxy Only) allowmiss - allow-miss - Disable Squid's use of only-if-cached when forwarding requests to siblings. This is primarily useful when icp_hit_stale is used by the sibling.

- no-tproxy - Do not use the client-spoof TPROXY support when forwarding requests to this peer. Use normal address selection instead.

- proxy-only - Objects fetched from the peer will not be stored locally.]]>
+ + allow-miss - Disable Squid's use of only-if-cached when forwarding requests to siblings. This is primarily useful when icp_hit_stale is used by the sibling.
+ no-tproxy - Do not use the client-spoof TPROXY support when forwarding requests to this peer. Use normal address selection instead.
+ proxy-only - Objects fetched from the peer will not be stored locally.

+ Note: Use CTRL + click to select multiple options. + ]]> +
select allow-miss @@ -196,9 +220,17 @@ 4
- Peer settings + Peer Settings listtopic + + info + + cache_peer directive documentation for detailed description of the settings below.
+ ]]> +
+
Hierarchy hierarchy @@ -212,20 +244,21 @@ - Select method + Select Method peermethod -
- default - This is a parent cache which can be used as a "last-resort" if a peer cannot be located by any of the peer-selection methods.
- If specified more than once, only the first is used.

- round-robin - Load-Balance parents which should be used in a round-robin fashion in the absence of any ICP queries.
weight=N can be used to add bias.

- weighted-round-robin - Load-Balance parents which should be used in a round-robin fashion with the frequency of each parent being based on the round trip time.
- Closer parents are used more often. Usually used for background-ping parents. weight=N can be used to add bias.

- carp - Load-Balance parents which should be used as a CARP array. The requests will be distributed among the parents based on the CARP load balancing hash function based on their weight.

- userhash - Load-balance parents based on the client proxy_auth or ident username.

- sourcehash - Load-balance parents based on the client source IP.

- multicast-siblings - To be used only for cache peers of type "multicast".
- ALL members of this multicast group have "sibling" relationship with it, not "parent". This is to a multicast group when the requested object would be fetched only from a "parent" cache, anyway.
- It's useful, e.g., when configuring a pool of redundant Squid proxies, being members of the same multicast group.]]>
+ + + Please see cache_peer directive documentation for details.

+ default - Parent cache which can be used as a "last-resort" if a peer cannot be located by any of the peer-selection methods.
+ round-robin - Load-Balance parents which should be used in a round-robin fashion in the absence of any ICP queries.
+ weighted-round-robin - Load-Balance parents which should be used in a round-robin fashion with the frequency of each parent being based on the round trip time.
+ carp - Load-Balance parents which should be used as a CARP array.
+ userhash -Load-Balance parents based on the client proxy_auth or ident username.
+ sourcehash - Load-balance parents based on the client source IP.
+ multicast-siblings - To be used only for cache peers of type "multicast".
+ ]]> +
select round-robin @@ -239,45 +272,68 @@
- weight + Weight weight - Use to affect the selection of a peer during any weighted peer-selection mechanisms. The weight must be an integer; default is 1,larger weights are favored more. + + + Note: The weight must be an integer; larger weights are favored more.

+ Default: 1 + ]]> +
input 5 1
- basetime + Basetime basetime - - It is subtracted before division by weight in calculating which parent to fectch from. If the rtt is less than the base time the rtt is set to a minimal value.]]> + + + It is subtracted before division by weight in calculating which parent to fetch from. If the RTT is less than the base time, the RTT is set to a minimal value. + ]]> + input 5 1 - ttl + TTL ttl - - Only useful when sending to a multicast group. Because we don't accept ICP replies from random hosts, you must configure other group members as peers with the 'multicast-responder' option.]]> + + + Note: Because we don't accept ICP replies from random hosts, you must configure other group members as peers with the 'multicast-responder' option. + ]]> + input 5 1 - no-delay + No Delay nodelay - + + + checkbox - ICP settings + ICP Settings listtopic - ICP port + ICP Port icpport - Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies. + + + Hint: Use port number 7 to disable ICP communication between the proxies. + ]]> + input 5 7 @@ -285,14 +341,16 @@ ICP Options icpoptions - - The defaults will prevent peer traffic using ICP

- no-query - Disable ICP queries to this neighbor.

- multicast-responder -Indicates the named peer is a member of a multicast group.
- ICP queries will not be sent directly to the peer, but ICP replies will be accepted from it.

- closest-only - Indicates that, for ICP_OP_MISS replies, we'll only forward CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.

- background-ping - To only send ICP queries to this neighbor infrequently.
- This is used to keep the neighbor round trip time updated and is usually used in conjunction with weighted-round-robin.]]>
+ + Note: You MUST also set 'ICP Port' explicitly when using these options. The defaults will prevent peer traffic using ICP.
+ Please see cache_peer directive documentation for details.

+ no-query - Disable ICP queries to this neighbor.
+ multicast-responder - Indicates the named peer is a member of a multicast group.
+ closest-only - Indicates that, for ICP_OP_MISS replies, we'll only forward CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.
+ background-ping - To only send ICP queries to this neighbor infrequently.
+ ]]> +
select no-query @@ -303,7 +361,7 @@
- Auth settings + Auth Settings listtopic @@ -319,25 +377,21 @@ password - Authentication options + Authentication Options authoption - login=user:password - If this is a personal/workgroup proxy and your parent requires proxy authentication.

- login=PASSTHRU - Send login details received from client to this peer. Authentication is not required by Squid for this to work.
- This will pass any form of authentication but only Basic auth will work through a proxy unless the connection-auth options are also used.

- login=PASS - Send login details received from client to this peer.Authentication is not required by this option.
- To combine this with proxy_auth both proxies must share the same user database as HTTP only allows for a single login (one for proxy, one for origin server).
- Also be warned this will expose your users proxy password to the peer. USE WITH CAUTION

- login=*:password - Send the username to the upstream cache, but with a fixed password. This is meant to be used when the peer is in another administrative domain, but it is still needed to identify each user.

- login=NEGOTIATE - If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.
- The first principal from the default keytab or defined by the environment variable KRB5_KTNAME will be used.
- WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.

- login=NEGOTIATE:principal_nameIf this is a personal/workgroup proxy and your parent requires a secure proxy authentication.
- The principal principal_name from the default keytab or defined by the environment variable KRB5_KTNAME will be used. - WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.

- connection-auth=on - Tell Squid that this peer does support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.
- Default is auto to automatically determine the status of the peer.

- connection-auth=off - Tell Squid that this peer does not support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.
- Default is auto to automatically determine the status of the peer.]]>
+ + cache_peer directive documentation for details.

+ login=user:password - If this is a personal/workgroup proxy and your parent requires proxy authentication.
+ login=PASSTHRU - Send login details received from client to this peer. Authentication is not required by Squid for this to work.
+ login=PASS - Send login details received from client to this peer. Authentication is not required by this option.
+ login=*:password - Send the username to the upstream cache, but with a fixed password.
+ login=NEGOTIATE - If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.
+ login=NEGOTIATE:principal_name - If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.
+ connection-auth=on - Peer does support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.
+ connection-auth=off - Peer does not support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.
+ ]]> +
select login=*:password -- cgit v1.2.3