From 358776d4794e2be413822b2e79aefe3f274dbe18 Mon Sep 17 00:00:00 2001 From: cajus Date: Tue, 10 Jul 2007 12:49:27 +0000 Subject: [PATCH] Removed altlinux specific stuff from contribs. These are config files, only. git-svn-id: https://oss.gonicus.de/repositories/gosa/branches/2.5@6808 594d385d-05f5-0310-b6e9-bd551577e9d8 --- contrib/altlinux/etc/cyrus.conf | 43 - contrib/altlinux/etc/gosa/gosa.conf | 170 -- contrib/altlinux/etc/imapd.conf | 210 -- contrib/altlinux/etc/ldap.conf | 227 -- contrib/altlinux/etc/nsswitch.conf | 62 - contrib/altlinux/etc/openldap/ldap.conf | 17 - contrib/altlinux/etc/openldap/slapd.conf | 311 -- contrib/altlinux/etc/postfix/main.cf | 596 ---- contrib/altlinux/etc/samba/smb.conf | 73 - contrib/altlinux/etc/sasl2/imapd.conf | 2 - contrib/altlinux/etc/sasl2/saslauthd.conf | 74 - contrib/altlinux/etc/services | 557 ---- contrib/altlinux/etc/squid/squid.conf | 3303 --------------------- contrib/altlinux/init.ldif | 124 - 14 files changed, 5769 deletions(-) delete mode 100644 contrib/altlinux/etc/cyrus.conf delete mode 100644 contrib/altlinux/etc/gosa/gosa.conf delete mode 100644 contrib/altlinux/etc/imapd.conf delete mode 100644 contrib/altlinux/etc/ldap.conf delete mode 100644 contrib/altlinux/etc/nsswitch.conf delete mode 100644 contrib/altlinux/etc/openldap/ldap.conf delete mode 100644 contrib/altlinux/etc/openldap/slapd.conf delete mode 100644 contrib/altlinux/etc/postfix/main.cf delete mode 100644 contrib/altlinux/etc/samba/smb.conf delete mode 100644 contrib/altlinux/etc/sasl2/imapd.conf delete mode 100644 contrib/altlinux/etc/sasl2/saslauthd.conf delete mode 100644 contrib/altlinux/etc/services delete mode 100644 contrib/altlinux/etc/squid/squid.conf delete mode 100644 contrib/altlinux/init.ldif diff --git a/contrib/altlinux/etc/cyrus.conf b/contrib/altlinux/etc/cyrus.conf deleted file mode 100644 index 4ada8431e..000000000 --- a/contrib/altlinux/etc/cyrus.conf +++ /dev/null @@ -1,43 +0,0 @@ -# standard standalone server implementation - -START { - # do not delete this entry! - recover cmd="ctl_cyrusdb -r" - - # this is only necessary if using idled for IMAP IDLE -# idled cmd="idled" -} - -# UNIX sockets start with a slash and are put into /var/lib/imap/socket -SERVICES { - # add or remove based on preferences - imap cmd="imapd" listen="imap" prefork=5 -# imaps cmd="imapd -s" listen="imaps" prefork=1 - pop3 cmd="pop3d" listen="pop3" prefork=3 -# pop3s cmd="pop3d -s" listen="pop3s" prefork=1 - sieve cmd="timsieved" listen="sieve" prefork=0 -# smmapd cmd="smmapd" listen="/var/lib/imap/socket/smmapd" prefork=1 - - # these are only necessary if receiving/exporting usenet via NNTP -# nntp cmd="nntpd" listen="nntp" prefork=3 -# nntps cmd="nntpd -s" listen="nntps" prefork=1 - - # at least one LMTP is required for delivery -# lmtp cmd="lmtpd" listen="lmtp" prefork=0 - lmtpunix cmd="lmtpd" listen="/var/spool/postfix/public/lmtp" prefork=1 - - # this is only necessary if using notifications -# notify cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1 -} - -EVENTS { - # this is required - checkpoint cmd="ctl_cyrusdb -c" period=30 - - # this is only necessary if using duplicate delivery suppression, - # Sieve or NNTP - delprune cmd="cyr_expire -E 3" at=0400 - - # this is only necessary if caching TLS sessions - tlsprune cmd="tls_prune" at=0400 -} diff --git a/contrib/altlinux/etc/gosa/gosa.conf b/contrib/altlinux/etc/gosa/gosa.conf deleted file mode 100644 index d1ceab343..000000000 --- a/contrib/altlinux/etc/gosa/gosa.conf +++ /dev/null @@ -1,170 +0,0 @@ - - - -
- - - - - - - - - -
- -
- - - - - - - -
- -
- - - - - -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - -
-
- - diff --git a/contrib/altlinux/etc/imapd.conf b/contrib/altlinux/etc/imapd.conf deleted file mode 100644 index 5ae2d9b5f..000000000 --- a/contrib/altlinux/etc/imapd.conf +++ /dev/null @@ -1,210 +0,0 @@ -# In more detail to look in man 5 imapd.conf - -#@include: - -admins: cyrus - -#afspts_localrealms: -#afspts_mycell: - -#allowallsubscribe: 0 -#allowanonymouslogin: 0 -allowapop: 0 -#allownewnews: 0 -allowplaintext: 1 -#allowusermoves: 0 -#altnamespace: 0 -sasl_mech_list: plain - -annotation_db: skiplist - -autocreatequota: 10240 -#createonpost: 0 -#autocreateinboxfolders: -#autosubscribeinboxfolders: -#autosubscribesharedfolders: - -#berkeley_cachesize: 512 -#berkeley_locks_max: 50000 -#berkeley_txns_max: 100 - - -configdirectory: /var/lib/imap -#debug_command: -#defaultacl: anyone lrs - -#defaultdomain: taf.ru -#defaultpartition: default -#deleteright: c - -duplicate_db: berkeley-nosync -duplicatesuppression: 0 - -#foolstupidclients: 0 -#force_sasl_client_mech: -#fulldirhash: 0 - -hashimapspool: 1 -#hostname_mechs: -#hostname_password: - -idlesocket: /var/lib/imap/socket/idle -#ignorereference: 0 -#imapidlepoll: 60 -imapidresponse: 0 -#imapmagicplus: 0 -#implicit_owner_rights: lca - -#ldap_authz: -#ldap_base: -#ldap_bind_dn: -#ldap_deref: never -#ldap_filter: -#ldap_group_base: -#ldap_group_filter: (cn=%u) -#ldap_group_scope: sub -#ldap_id: -#ldap_mech: -#ldap_member_attribute: -#ldap_member_base: -#ldap_member_filter: (member=%D) -#ldap_member_method: attribute -#ldap_member_scope: sub -#ldap_password: -#ldap_realm: -#ldap_referrals: 0 -#ldap_restart: 1 -#ldap_sasl: 1 -#ldap_sasl_authc: -#ldap_sasl_authz: -#ldap_sasl_mech: -#ldap_sasl_password: -#ldap_sasl_realm: -#ldap_scope: sub -#ldap_servers: ldap://localhost/ -#ldap_size_limit: 1 -#ldap_start_tls: 0 -#ldap_time_limit: 5 -#ldap_timeout: 5 -#ldap_tls_cacert_dir: -#ldap_tls_cacert_file: -#ldap_tls_cert: -#ldap_tls_check_peer: 0 -#ldap_tls_ciphers: -#ldap_tls_key: -#ldap_uri: -#ldap_version: 3 - - - -lmtp_downcase_rcpt: 1 -lmtp_over_quota_perm_failure: yes -#lmtpsocket: {configdirectory}/socket/lmtp -lmtpsocket: /var/spool/postfix/public/lmtp - -#loginrealms: -#loginuseacl: 0 -#logtimestamps: 0 - -#mailnotifier: -#maxmessagesize: 0 - -mboxlist_db: skiplist - -#mupdate_connections_max: 128 -#mupdate_authname: -#mupdate_password: -#mupdate_port: 3905 -#mupdate_realm: -#mupdate_retry_delay: 20 -#mupdate_server: -#mupdate_workers_start: 5 -#mupdate_workers_minspare: 2 -#mupdate_workers_maxspare: 10 -#mupdate_workers_max: 50 -#mupdate_username: - -#netscapeurl: http://asg.web.cmu.edu/cyrus/imapd/netscape-admin.html - -#newsmaster: news -#newspeer: -#newspostuser: -#newsprefix: -#notifysocket: {configdirectory}/socket/notify - -partition-default: /var/spool/imap -#partition-name: -#plaintextloginpause: 0 - -#popexpiretime: -1 -#popminpoll: 0 -poptimeout: 5 -#postmaster: postmaster -#postuser: -#proxy_authname: proxy -#proxy_password: -#proxy_realm: -#proxyd_allow_status_referral: 0 -#proxyservers: - -#ptloader_sock: - -#ptscache_db: berkeley -#ptscache_timeout: 10800 -#ptskrb5_convert524: 1 - -#quota_db: quotalegacy -#quotawarn: 90 -#quotawarnkb: 0 - -# If you want to have 8-bit symbols in 'Subject' the -# reject8bit should matter 0 -reject8bit: 0 - -#rfc2046_strict: 0 -#rfc3028_strict: 1 - -#sasl_auto_transition: 0 -#sasl_maximum_layer: 256 -#sasl_minimum_layer: 0 -#sasl_option: 0 -sasl_pwcheck_method: saslauthd - -seenstate_db: skiplist - -sendmail: /usr/sbin/sendmail -servername: example.com - -#sharedprefix: Shared Folders -#sieve_maxscriptsize: 32 -#sieve_maxscripts: 5 -sievedir: /var/lib/imap/sieve -#sievenotifier: -#sieveusehomedir: 0 - -#singleinstancestore: 1 -#skiplist_unsafe: 0 -#soft_noauth: 1 -#srvtab: - -subscription_db: flat - -#syslog_prefix: - -#temp_path: /tmp -#timeout: 30 -#tls_ca_file: -#tls_ca_path: -#tlscache_db: berkeley-nosync -#tls_cert_file: /var/lib/ssl/certs/cyrus-imapd.pem -#tls_cipher_list: DEFAULT -#tls_key_file: /var/lib/ssl/certs/cyrus-imapd.pem -#tls_require_cert: 0 -#tls_session_timeout: 1440 - -#umask: 077 -username_tolower: 1 -#userprefix: Other Users -#unix_group_enable: 1 -#unixhierarchysep: 0 -#virtdomains: on diff --git a/contrib/altlinux/etc/ldap.conf b/contrib/altlinux/etc/ldap.conf deleted file mode 100644 index c245047c4..000000000 --- a/contrib/altlinux/etc/ldap.conf +++ /dev/null @@ -1,227 +0,0 @@ -# @(#)$Id: ldap.conf,v 1.1 2004/09/16 06:46:19 migor-guest Exp $ -# -# This is the configuration file for the LDAP nameservice -# switch library and the LDAP PAM module. -# -# PADL Software -# http://www.padl.com -# - -# Your LDAP server. Must be resolvable without using LDAP. -# Multiple hosts may be specified, each separated by a -# space. How long nss_ldap takes to failover depends on -# whether your LDAP client library supports configurable -# network or connect timeouts (see bind_timelimit). -#host 127.0.0.1 - -# The distinguished name of the search base. -base dc=example,dc=com - -# Another way to specify your LDAP server is to provide an -# uri with the server name. This allows to use -# Unix Domain Sockets to connect to a local LDAP Server. -uri ldap://127.0.0.1/ -#uri ldaps://127.0.0.1/ -#uri ldapi://%2fvar%2frun%2fldapi_sock/ -# Note: %2f encodes the '/' used as directory separator - -# The LDAP version to use (defaults to 3 -# if supported by client library) -ldap_version 3 - -# The distinguished name to bind to the server with. -# Optional: default is to bind anonymously. -#binddn cn=proxyuser,dc=example,dc=com - -# The credentials to bind with. -# Optional: default is no credential. -#bindpw secret - -# The distinguished name to bind to the server with -# if the effective user ID is root. Password is -# stored in /etc/ldap.secret (mode 600) -#rootbinddn cn=manager,dc=example,dc=com - -# The port. -# Optional: default is 389. -#port 389 - -# The search scope. -#scope sub -#scope one -#scope base - -# Search timelimit -#timelimit 30 - -# Bind/connect timelimit -#bind_timelimit 30 - -# Reconnect policy: hard (default) will retry connecting to -# the software with exponential backoff, soft will fail -# immediately. -#bind_policy hard - -# Idle timelimit; client will close connections -# (nss_ldap only) if the server has not been contacted -# for the number of seconds specified below. -#idle_timelimit 3600 - -# Filter to AND with uid=%s -#pam_filter objectclass=account - -# The user ID attribute (defaults to uid) -#pam_login_attribute uid - -# Search the root DSE for the password policy (works -# with Netscape Directory Server) -#pam_lookup_policy yes - -# Group to enforce membership of -#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com - -# Group member attribute -#pam_member_attribute uniquemember - -# Template login attribute, default template user -# (can be overriden by value of former attribute -# in user's entry) -#pam_login_attribute userPrincipalName -#pam_template_login_attribute uid -#pam_template_login nobody - -# HEADS UP: the pam_crypt, pam_nds_passwd, -# and pam_ad_passwd options are no -# longer supported. - -# Do not hash the password at all; presume -# the directory server will do it, if -# necessary. This is the default. -#pam_password clear - -# Hash password locally; required for University of -# Michigan LDAP server, and works with Netscape -# Directory Server if you're using the UNIX-Crypt -# hash mechanism and not using the NT Synchronization -# service. -#pam_password crypt - -# Remove old password first, then update in -# cleartext. Necessary for use with Novell -# Directory Services (NDS) -#pam_password nds - -# Update Active Directory password, by -# creating Unicode password and updating -# unicodePwd attribute. -#pam_password ad - -# Use the OpenLDAP password change -# extended operation to update the password. -#pam_password exop - -# RFC2307bis naming contexts -# Syntax: -# nss_base_XXX base?scope?filter -# where scope is {base,one,sub} -# and filter is a filter to be &'d with the -# default filter. -# You can omit the suffix eg: -# nss_base_passwd ou=People, -# to append the default base DN but this -# may incur a small performance impact. -#nss_base_passwd ou=People,dc=example,dc=com?one -#nss_base_shadow ou=People,dc=example,dc=com?one -#nss_base_group ou=Groups,dc=example,dc=com?one -#nss_base_hosts ou=Hosts,dc=example,dc=com?one -#nss_base_services ou=Services,dc=example,dc=com?one -#nss_base_networks ou=Networks,dc=example,dc=com?one -#nss_base_protocols ou=Protocols,dc=example,dc=com?one -#nss_base_rpc ou=Rpc,dc=example,dc=com?one -#nss_base_ethers ou=Ethers,dc=example,dc=com?one -#nss_base_netmasks ou=Networks,dc=example,dc=com?ne -#nss_base_bootparams ou=Ethers,dc=example,dc=com?one -#nss_base_aliases ou=Aliases,dc=example,dc=com?one -#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one - -# attribute/objectclass mapping -# Syntax: -#nss_map_attribute rfc2307attribute mapped_attribute -#nss_map_objectclass rfc2307objectclass mapped_objectclass - -# configure --enable-nds is no longer supported. -# For NDS now do: -#nss_map_attribute uniqueMember member - -# configure --enable-mssfu-schema is no longer supported. -# For MSSFU now do: -#nss_map_objectclass posixAccount User -#nss_map_attribute uid msSFUName -#nss_map_attribute uniqueMember posixMember -#nss_map_attribute userPassword msSFUPassword -#nss_map_attribute homeDirectory msSFUHomeDirectory -#nss_map_objectclass posixGroup Group -#nss_map_attribute cn msSFUName -#pam_login_attribute msSFUName -#pam_filter objectclass=User -#pam_password ad - -# Alternatively, if you wish to equivalence W2K and POSIX -# groups, change the uniqueMember mapping line to: -#nss_map_attribute uniqueMember member - -# configure --enable-authpassword is no longer supported -# For authPassword support, now do: -#nss_map_attribute userPassword authPassword -#pam_password nds - -# For IBM AIX SecureWay support, do: -#nss_map_objectclass posixAccount aixAccount -#nss_base_passwd ou=aixaccount,?one -#nss_map_attribute uid userName -#nss_map_attribute gidNumber gid -#nss_map_attribute uidNumber uid -#nss_map_attribute userPassword passwordChar -#nss_map_objectclass posixGroup aixAccessGroup -#nss_base_group ou=aixgroup,?one -#nss_map_attribute cn groupName -#nss_map_attribute uniqueMember member -#pam_login_attribute userName -#pam_filter objectclass=aixAccount -#pam_password clear - -# Netscape SDK LDAPS -#ssl on - -# Netscape SDK SSL options -#sslpath /etc/ssl/certs/cert7.db - -# OpenLDAP SSL mechanism -# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 -#ssl start_tls -#ssl on - -# OpenLDAP SSL options -# Require and verify server certificate (yes/no) -# Default is "no" -#tls_checkpeer yes - -# CA certificates for server certificate verification -# At least one of these are required if tls_checkpeer is "yes" -#tls_cacertfile /etc/ssl/ca.cert -#tls_cacertdir /etc/ssl/certs - -# SSL cipher suite -# See man ciphers for syntax -#tls_ciphers TLSv1 - -# Client certificate and key -# Use these, if your server requires client authentication. -#tls_cert -#tls_key - -# Disable SASL security layers. This is needed for AD. -#sasl_secprops maxssf=0 - -# Override the default Kerberos ticket cache location. -#krb5_ccname FILE:/etc/.ldapcache diff --git a/contrib/altlinux/etc/nsswitch.conf b/contrib/altlinux/etc/nsswitch.conf deleted file mode 100644 index 5f0d1eb90..000000000 --- a/contrib/altlinux/etc/nsswitch.conf +++ /dev/null @@ -1,62 +0,0 @@ -# -# Please refer to nsswitch.conf(5) for more information on this file. -# -# This is the Name Service Switch configuration file. This file should -# be sorted with the most-used databases at the beginning. -# -# Specifying '[NOTFOUND=return]' means that the search for an entry -# should stop if the search with the previous service turned up nothing. -# Note that if the search failed due to some other reason (like no NIS -# server responding) then the search continues with the next service. -# -# Legal name services are: -# -# files Use local files -# tcb Use local tcb shadow files, see tcb(5) -# db Use local database files under /var/db -# nis or yp Use NIS (NIS version 2), also called YP -# nisplus or nis+ Use NIS+ (NIS version 3) -# dns Use DNS (Domain Name Service) -# compat Use NIS in compatibility mode -# hesiod Use Hesiod for user lookups -# [NOTFOUND=return] Stop searching if not found so far -# - -passwd: files ldap -shadow: tcb ldap -group: files ldap - -hosts: files nisplus nis dns - -# To use db, put the "db" in front of "files" for things you want to be -# looked up first in the db files. -# -#passwd: db files nisplus nis -#shadow: db tcb files nisplus nis -#group: db files nisplus nis -# -#hosts: db files nisplus nis dns - -ethers: files -netmasks: files -networks: files -protocols: files -rpc: files -services: files - -# Example - obey only what nisplus tells us... -#services: nisplus [NOTFOUND=return] files -#networks: nisplus [NOTFOUND=return] files -#protocols: nisplus [NOTFOUND=return] files -#rpc: nisplus [NOTFOUND=return] files -#ethers: nisplus [NOTFOUND=return] files -#netmasks: nisplus [NOTFOUND=return] files - -bootparams: nisplus [NOTFOUND=return] files - -netgroup: nisplus - -publickey: nisplus - -automount: files nisplus -aliases: files nisplus diff --git a/contrib/altlinux/etc/openldap/ldap.conf b/contrib/altlinux/etc/openldap/ldap.conf deleted file mode 100644 index eac6d229a..000000000 --- a/contrib/altlinux/etc/openldap/ldap.conf +++ /dev/null @@ -1,17 +0,0 @@ -# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $ -# -# LDAP Defaults -# - -# See ldap.conf(5) for details -# This file should be world readable but not world writable. - -BASE dc=example,dc=com -URI ldap://localhost - -#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 - -#SIZELIMIT 12 -#TIMELIMIT 15 -#DEREF never - diff --git a/contrib/altlinux/etc/openldap/slapd.conf b/contrib/altlinux/etc/openldap/slapd.conf deleted file mode 100644 index 37ee30177..000000000 --- a/contrib/altlinux/etc/openldap/slapd.conf +++ /dev/null @@ -1,311 +0,0 @@ -# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ -# -# See slapd.conf(5) for details on configuration options. -# This file should NOT be world readable. -# -# [ GLOBAL SETTINGS ] -# Default schemas -include /etc/openldap/schema/core.schema -include /etc/openldap/schema/cosine.schema -include /etc/openldap/schema/inetorgperson.schema -include /etc/openldap/schema/openldap.schema -include /etc/openldap/schema/nis.schema -#include /etc/openldap/schema/misc.schema -#include /etc/openldap/schema/rfc822-MailMember.schema -#include /etc/openldap/schema/kerberosobject.schema -#include /etc/openldap/schema/corba.schema -#include /etc/openldap/schema/java.schema -# Addon schemas -#include /etc/openldap/schema/autofs.schema -#include /etc/openldap/schema/courier.schema -#include /etc/openldap/schema/dnszone.schema -#include /etc/openldap/schema/qmail.schema -#include /etc/openldap/schema/qmailControl.schema -#include /etc/openldap/schema/samba2.schema -include /etc/openldap/schema/samba3.schema -# Experementel schemas -#include /etc/openldap/schema/cron.schema -#include /etc/openldap/schema/trust.schema -#include /etc/openldap/schema/turbo.schema -# Netscape roaming -#include /etc/openldap/schema/mull.schema -#include /etc/openldap/schema/netscape-profile.schema -# Local schema - -# GOSA2 schemas -#include /etc/openldap/schema/local.schema -include /etc/openldap/schema/gohard.schema -include /etc/openldap/schema/goto.schema -include /etc/openldap/schema/gofax.schema -include /etc/openldap/schema/goserver.schema -include /etc/openldap/schema/gosa+samba3.schema -#include /etc/openldap/schema/gosa.schema - -# Specify a set of features (separated by white space) to allow. -allow bind_v2 - -# Do not enable referrals until AFTER you have a working directory -# service AND an understanding of referrals. -#referral ldap://root.openldap.org - -# Specify a desired level of concurrency. Provided to the underlying thread -# system as a hint. The default is not to provide any hint. -concurency 20 - -# Specify the maximum number of pending requests for an anonymous session. If -# requests are submitted faster than the server can process them, they will -# be queued up to this limit. If the limit is exceeded, the session is closed. -#conn_max_pending 100 - -# Specify the maximum number of pending requests for an -# authenticated session. -#conn_max_pending 1000 - -# Specify a default search base to use when client submits a non-base search -# request with an empty base DN. -defaultsearchbase "dc=example,dc=com" - -# A SIGHUP signal will only cause a 'gentle' shutdown-attempt: Slapd will -# stop listening for new connections, but will not close the connections to -# the current clients. -gentlehup on - -# Specify the number of seconds to wait before forcibly closing an idle client -# connection. A idletimeout of 0 disables this feature. -#idletimeout 0 - -# Specify time and size limits based on who initiated an operation. -#sizelimit 500 -#timelimit 60 -#limits anonymous time.soft=60 time.hard=120 -#limits anonymous size.soft=1000 size.hard=1100 size.unchecked=1000 -#limits users time.soft=60 time.hard=120 -#limits users size=1000 -#limits dn.base="ou=People,dc=example,dc=com" size=100 - -# Specify the level at which debugging statements and operation statistics -# should be syslogged (currently logged to the syslogd(8) LOG_LOCAL4 facility). -# Log levels are additive, and available levels are: -# -1 full -# 0 none -# 1 trace function calls -# 2 debug packet handling -# 4 heavy trace debugging -# 8 connection management -# 16 print out packets sent and received -# 32 search filter processing -# 64 configuration file processing -# 128 access control list processing -# 256 stats log connections/operations/results -# 512 stats log entries sent -# 1024 print communication with shell backends -# 2048 entry parsing -#loglevel 256 - -# This option sets the hash to be used in generation of user passwords, stored -# in userPassword, during processing of LDAP Password Modify Extended -# Operations (RFC 3062). The must be one of {SSHA}, {SHA}, {SMD5}, -# {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}. -#password-hash {SSHA} - -# The ( absolute ) name of a file that will hold the server's process ID -# if started without the debugging command line option. -pidfile /var/run/slapd.pid -argsfile /var/run/slapd.args -replica-pidfile /var/run/slurpd.pid -replica-argsfile /var/run/slurpd.args - -# Specify a set of conditions (separated by white space) to require (default -# none). The directive may be specified globally and/or per-database. bind -# requires bind operation prior to directory operations. LDAPv3 requires -# session to be using LDAP version 3. authc requires authentication prior to -# directory operations. SASL requires SASL authentication prior to directory -# operations. strong requires strong authentication prior to directory -# operations. The strong keyword allows protected "simple" authentication as -# well as SASL authentication. none may be used to require no conditions -# (useful for clearly globally set conditions within a particular database). -#require none - -# Specify the name of an LDIF(5) file containing user defined attributes for -# the root DSE. These attributes are returned in addition to the attributes -# normally produced by slapd. -#rootDSE /etc/openldap/rootdse.ldif - -# Specify a set of factors (separated by white space) to require. An integer -# value is associated with each factor and is roughly equivalent of the -# encryption key length to require. A value of 112 is equivalent to 3DES, 128 -# to Blowfish, etc.. -# Require integrity protection (prevent hijacking) -# Require 112-bit (3DES or better) encryption for updates -# Require 63-bit encryption for simple bind -#security ssf=1 update_ssf=112 simple_bind=64 - -# Specify the maximum size of the primary thread pool. The default is 16. -#threads 16 - - -# -# [ TLS OPTIONS ] -# -# Permits configuring what ciphers will be accepted and the preference order. -# should be a cipher specification for OpenSSL. -#TLSCipherSuite HIGH:MEDIUM:+SSLv2 - -# Specifies the path of a directory that contains Certificate Authority -# certificates in separate individual files. Usually only one of this or the -# TLSCACertificateFile is used. -#TLSCACertificateFile /etc/openldap/ssl/slapd.pem -#TLSCACertificatePath /etc/openldap/ssl - -# Specifies the file that contains the slapd server certificate. -#TLSCertificateFile /etc/openldap/ssl/slapd.pem - -# Specifies the file that contains the slapd server private key that matches -# the certificate stored in the TLSCertificateFile file. Currently, the private -# key must not be protected with a password, so it is of critical importance -# that it is protected carefully. -#TLSCertificateKeyFile /etc/openldap/ssl/slapd.pem - -# Specifies what checks to perform on client certificates in an incoming TLS -# session, if any. -#TLSVerifyClient never - - -# -# [ ACCESS CONTROL ] -# -# See slapd.access(5) for details -#access to attrs=userPassword -# by self write -# by anonymous auth -# by * none - - -# -# [ BACKEND OPTIONS ] -# -# Load dynamic backend modules: -modulepath /usr/lib/openldap -#moduleload back_dnssrv.la -#moduleload back_ldap.la -moduleload back_bdb.la -#moduleload back_ldbm.la -#moduleload back_meta.la -#moduleload back_monitor.la -#moduleload back_null.la -#moduleload back_passwd.la -#moduleload back_shell.la -#moduleload back_perl.la -#moduleload back_sql.la - -# Options in this section only apply to the configuration file section for the -# specified backend. They are supported by every type of backend. -#backend ldbm -#cachesize 1000 -#dbcachesize 100000 -#dbsync 10 12 5 - - -# -# [ DATABASE OPTIONS ] -# -# Mark the beginning of a new database instance definition. -#database ldbm - -# Specify the DN suffix of queries that will be passed to this backend -# database. Multiple suffix lines can be given and at least one is required for -# each database definition. If the suffix of one database is "inside" that of -# another, the database with the inner suffix must come first in the -# configuration file. -#suffix "dc=example,dc=com" - -# Specify the distinguished name that is not subject to access control or -# administrative limit restrictions for operations on this database. An empty -# root DN (the default) specifies no root access is to be granted. It is -# recommended that the rootdn only be specified when needed (such as when -# initially populating a database). -#rootdn "cn=admin,dc=example,dc=com" - -# Specify a password (or hash of the password) for the rootdn. This option -# accepts all RFC 2307 userPassword formats known to the server (see -# password-hash desription) as well as cleartext. -#rootpw secret - -# Controls whether slapd will automatically maintain the modifiersName, -# modifyTimestamp, creatorsName, and createTimestamp attributes for entries. -#lastmod on - -# Specifies the maximum number of aliases to dereference when trying to resolve -# an entry, used to avoid inifinite alias loops. -#maxderefdepth 1 - -# This option puts the database into "read-only" mode. Any attempts to modify -# the database will return an "unwilling to perform" error. -#readonly on - -# Specify a replication site for this database. Refer to the "OpenLDAP -# Administrator's Guide" for detailed information on setting up a replicated -# slapd directory service. -#replica uri=ldaps://ldap2.example.com/ - -# Specify the name of the replication log file to log changes to. -#replogfile /var/lib/ldap/replica/example.com.replog - -# Specify that the current backend database is a subordinate of another backend -# database. A subordinate database may have only one suffix. This option may be -# used to glue multiple databases into a single namingContext. -#subordinate - -# This option is only applicable in a slave slapd. It specifies the DN allowed -# to make changes to the replica -#updatedn "cn=slave,dc=example,dc=com" - -# Specify the referral to pass back when slapd(8) is asked to modify a -# replicated local database. If specified multiple times, each url is provided. -#updateref "uri=ldap://ldap2.example.com" - -# Specify the directory where the LDBM files containing this database and -# associated indexes live. -#directory /var/lib/ldap/bases/example.com - -# Specify the indexes to maintain for the given attribute (or list of -# attributes). Some attributes only support a subset of indexes.Specify the -# indexes to maintain for the given attribute (or list of attributes). Some -# attributes only support a subset of indexes. -#index objectClass eq -#index uid pres,eq,sub -#index cn pres,eq,sub,subany - -#access to * -# by * read - - -# -# Next database instance -# -database bdb -suffix "dc=example,dc=com" -#rootdn "cn=admin,dc=example,dc=com" -#rootpw secret -directory /var/lib/ldap/bases/example.com - -index objectClass eq -index uid pres,eq -index cn pres,eq,sub,subany -index mail pres,eq -index gosaMailDeliveryMode pres,eq,sub - -access to userPassword - by dn=".*,ou=Admins,dc=example,dc=com" write - by dn="cn=gosa,ou=Apps,dc=example,dc=com" write - by dn="cn=smbpasswd,ou=Apps,dc=example,dc=com" write - by self write - by anonymous auth - by * none - -access to * - by dn=".*,ou=Admins,dc=example,dc=com" write - by dn="cn=gosa,ou=Apps,dc=example,dc=com" write - by dn="cn=smbpasswd,ou=Apps,dc=example,dc=com" write - by * read - diff --git a/contrib/altlinux/etc/postfix/main.cf b/contrib/altlinux/etc/postfix/main.cf deleted file mode 100644 index 225bea7ff..000000000 --- a/contrib/altlinux/etc/postfix/main.cf +++ /dev/null @@ -1,596 +0,0 @@ -# Global Postfix configuration file. This file lists only a subset -# of all 300+ parameters. See the samples/xxx.cf files for a full list. -# -# The general format is lines with parameter = value pairs. Lines -# that begin with whitespace continue the previous line. A value can -# contain references to other $names or ${name}s. -# -# NOTE - CHANGE NO MORE THAN 2-3 PARAMETERS AT A TIME, AND TEST IF -# POSTFIX STILL WORKS AFTER EVERY CHANGE. - -# SOFT BOUNCE -# -# The soft_bounce parameter provides a limited safety net for -# testing. When soft_bounce is enabled, mail will remain queued that -# would otherwise bounce. This parameter disables locally-generated -# bounces, and prevents the SMTP server from rejecting mail permanently -# (by changing 5xx replies into 4xx replies). However, soft_bounce -# is no cure for address rewriting mistakes or mail routing mistakes. -# -#soft_bounce = no - -# INTERNET HOST AND DOMAIN NAMES -# -# The myhostname parameter specifies the internet hostname of this -# mail system. The default is to use the fully-qualified domain name -# from gethostname(). $myhostname is used as a default value for many -# other configuration parameters. -# -#myhostname = host.domain.tld -#myhostname = virtual.domain.tld - -# The mydomain parameter specifies the local internet domain name. -# The default is to use $myhostname minus the first component. -# $mydomain is used as a default value for many other configuration -# parameters. -# -#mydomain = domain.tld - -# SENDING MAIL -# -# The myorigin parameter specifies the domain that locally-posted -# mail appears to come from. The default is to append $myhostname, -# which is fine for small sites. If you run a domain with multiple -# machines, you should (1) change this to $mydomain and (2) set up -# a domain-wide alias database that aliases each user to -# user@that.users.mailhost. -# -# For the sake of consistency between sender and recipient addresses, -# myorigin also specifies the default domain name that is appended -# to recipient addresses that have no @domain part. -# -#myorigin = $myhostname -#myorigin = $mydomain - -# RECEIVING MAIL - -# The inet_interfaces parameter specifies the network interface -# addresses that this mail system receives mail on. By default, -# the software claims all active interfaces on the machine. The -# parameter also controls delivery of mail to user@[ip.address]. -# -# See also the proxy_interfaces parameter, for network addresses that -# are forwarded to us via a proxy or network address translator. -# -# Note: you need to stop/start Postfix when this parameter changes. -# -#inet_interfaces = all -#inet_interfaces = $myhostname -#inet_interfaces = $myhostname, localhost - -# The proxy_interfaces parameter specifies the network interface -# addresses that this mail system receives mail on by way of a -# proxy or network address translation unit. This setting extends -# the address list specified with the inet_interfaces parameter. -# -# You must specify your proxy/NAT addresses when your system is a -# backup MX host for other domains, otherwise mail delivery loops -# will happen when the primary MX host is down. -# -#proxy_interfaces = -#proxy_interfaces = 1.2.3.4 - -# The mydestination parameter specifies the list of domains that this -# machine considers itself the final destination for. -# -# These domains are routed to the delivery agent specified with the -# local_transport parameter setting. By default, that is the UNIX -# compatible delivery agent that lookups all recipients in /etc/passwd -# and /etc/aliases or their equivalent. -# -# The default is $myhostname + localhost.$mydomain. On a mail domain -# gateway, you should also include $mydomain. -# -# Do not specify the names of virtual domains - those domains are -# specified elsewhere (see samples/virtual.cf). -# -# Do not specify the names of domains that this machine is backup MX -# host for. Specify those names via the relay_domains settings for -# the SMTP server, or use permit_mx_backup if you are lazy (see -# samples/smtpd.cf). -# -# The local machine is always the final destination for mail addressed -# to user@[the.net.work.address] of an interface that the mail system -# receives mail on (see the inet_interfaces parameter). -# -# Specify a list of host or domain names, /file/name or type:table -# patterns, separated by commas and/or whitespace. A /file/name -# pattern is replaced by its contents; a type:table is matched when -# a name matches a lookup key (the right-hand side is ignored). -# Continue long lines by starting the next line with whitespace. -# -# DO NOT LIST RELAY DESTINATIONS IN MYDESTINATION. -# SPECIFY RELAY DESTINATIONS IN RELAY_DOMAINS. -# -# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". -# -#mydestination = $myhostname, localhost.$mydomain -#mydestination = $myhostname, localhost.$mydomain $mydomain -#mydestination = $myhostname, localhost.$mydomain, $mydomain, -# mail.$mydomain, www.$mydomain, ftp.$mydomain -mydestination = localhost, $myhostname, localhost.$mydomain, $config_directory/mydestination - -# REJECTING MAIL FOR UNKNOWN LOCAL USERS -# -# The local_recipient_maps parameter specifies optional lookup tables -# with all names or addresses of users that are local with respect -# to $mydestination and $inet_interfaces. -# -# If this parameter is defined, then the SMTP server will reject -# mail for unknown local users. This parameter is defined by default. -# -# To turn off local recipient checking in the SMTP server, specify -# local_recipient_maps = (i.e. empty). -# -# The default setting assumes that you use the default Postfix local -# delivery agent for local delivery. You need to update the -# local_recipient_maps setting if: -# -# - You define $mydestination domain recipients in files other than -# /etc/passwd, /etc/postfix/aliases, or the $virtual_alias_maps files. -# For example, you define $mydestination domain recipients in -# the $virtual_mailbox_maps files. -# -# - You redefine the local delivery agent in master.cf. -# -# - You redefine the "local_transport" setting in main.cf. -# -# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" -# feature of the Postfix local delivery agent (see samples/local.cf). -# -# Details are described in the LOCAL_RECIPIENT_README file. -# -# Beware: if the Postfix SMTP server runs chrooted, you probably have -# to access the passwd file via the proxymap service, in order to -# overcome chroot restrictions. The alternative, having a copy of -# the system passwd file in the chroot jail is just not practical. -# -# The right-hand side of the lookup tables is conveniently ignored. -# In the left-hand side, specify a bare username, an @domain.tld -# wild-card, or specify a user@domain.tld address. -# -#local_recipient_maps = unix:passwd.byname $alias_maps -#local_recipient_maps = proxy:unix:passwd.byname $alias_maps -#local_recipient_maps = - -# The unknown_local_recipient_reject_code specifies the SMTP server -# response code when a recipient domain matches $mydestination or -# $inet_interfaces, while $local_recipient_maps is non-empty and the -# recipient address or address local-part is not found. -# -# The default setting is 550 (reject mail) but it is safer to start -# with 450 (try again later) until you are certain that your -# local_recipient_maps settings are OK. -# -unknown_local_recipient_reject_code = 550 - -# TRUST AND RELAY CONTROL - -# The mynetworks parameter specifies the list of "trusted" SMTP -# clients that have more privileges than "strangers". -# -# In particular, "trusted" SMTP clients are allowed to relay mail -# through Postfix. See the smtpd_recipient_restrictions parameter -# in file samples/smtpd.cf. -# -# You can specify the list of "trusted" network addresses by hand -# or you can let Postfix do it for you (which is the default). -# -# By default (mynetworks_style = host), Postfix "trusts" SMTP -# clients of the local machine only. -# -# Specify "mynetworks_style = class" when Postfix should "trust" SMTP -# clients in the same IP class A/B/C networks as the local machine. -# Don't do this with a dialup site - it would cause Postfix to "trust" -# your entire provider's network. Instead, specify an explicit -# mynetworks list by hand, as described below. -# -# Specify "mynetworks_style = subnet" when Postfix should "trust" SMTP -# clients in the same IP subnetworks as the local machine. -# -#mynetworks_style = class -#mynetworks_style = subnet -#mynetworks_style = host - -# Alternatively, you can specify the mynetworks list by hand, in -# which case Postfix ignores the mynetworks_style setting. -# -# Specify an explicit list of network/netmask patterns, where the -# mask specifies the number of bits in the network part of a host -# address. -# -# You can also specify the absolute pathname of a pattern file instead -# of listing the patterns here. Specify type:table for table-based lookups -# (the value on the table right-hand side is not used). -# -#mynetworks = 168.100.189.0/28, 127.0.0.0/8 -#mynetworks = $config_directory/mynetworks -#mynetworks = hash:/etc/postfix/network_table - -# The relay_domains parameter restricts what destinations this system will -# relay mail to. See the smtpd_recipient_restrictions restriction in the -# file samples/smtpd.cf for detailed information. -# -# By default, Postfix relays mail -# - from "trusted" clients (IP address matches $mynetworks) to any destination, -# - from "untrusted" clients to destinations that match $relay_domains or -# subdomains thereof, except addresses with sender-specified routing. -# The default relay_domains value is $mydestination. -# -# In addition to the above, the Postfix SMTP server by default accepts mail -# that Postfix is final destination for: -# - destinations that match $inet_interfaces, -# - destinations that match $mydestination -# - destinations that match $virtual_alias_domains, -# - destinations that match $virtual_mailbox_domains. -# These destinations do not need to be listed in $relay_domains. -# -# Specify a list of hosts or domains, /file/name patterns or type:name -# lookup tables, separated by commas and/or whitespace. Continue -# long lines by starting the next line with whitespace. A file name -# is replaced by its contents; a type:name table is matched when a -# (parent) domain appears as lookup key. -# -# NOTE: Postfix will not automatically forward mail for domains that -# list this system as their primary or backup MX host. See the -# permit_mx_backup restriction in the file samples/smtpd.cf. -# -#relay_domains = $mydestination - -# INTERNET OR INTRANET - -# The relayhost parameter specifies the default host to send mail to -# when no entry is matched in the optional transport(5) table. When -# no relayhost is given, mail is routed directly to the destination. -# -# On an intranet, specify the organizational domain name. If your -# internal DNS uses no MX records, specify the name of the intranet -# gateway host instead. -# -# In the case of SMTP, specify a domain, host, host:port, [host]:port, -# [address] or [address]:port; the form [host] turns off MX lookups. -# -# If you're connected via UUCP, see also the default_transport parameter. -# -#relayhost = $mydomain -#relayhost = gateway.my.domain -#relayhost = uucphost -#relayhost = [an.ip.add.ress] - -# REJECTING UNKNOWN RELAY USERS -# -# The relay_recipient_maps parameter specifies optional lookup tables -# with all addresses in the domains that match $relay_domains. -# -# If this parameter is defined, then the SMTP server will reject -# mail for unknown relay users. This feature is off by default. -# -# The right-hand side of the lookup tables is conveniently ignored. -# In the left-hand side, specify an @domain.tld wild-card, or specify -# a user@domain.tld address. -# -#relay_recipient_maps = hash:/etc/postfix/relay_recipients - -# INPUT RATE CONTROL -# -# The in_flow_delay configuration parameter implements mail input -# flow control. This feature is turned on by default, although it -# still needs further development (it's disabled on SCO UNIX due -# to an SCO bug). -# -# A Postfix process will pause for $in_flow_delay seconds before -# accepting a new message, when the message arrival rate exceeds the -# message delivery rate. With the default 100 SMTP server process -# limit, this limits the mail inflow to 100 messages a second more -# than the number of messages delivered per second. -# -# Specify 0 to disable the feature. Valid delays are 0..10. -# -#in_flow_delay = 1s - -# ADDRESS REWRITING -# -# Insert text from samples/rewrite.cf if you need to do address -# masquerading. -# -# Insert text from samples/canonical.cf if you need to do address -# rewriting, or if you need username->Firstname.Lastname mapping. - -# ADDRESS REDIRECTION (VIRTUAL DOMAIN) -# -# Insert text from samples/virtual.cf if you need virtual domain support. - -# "USER HAS MOVED" BOUNCE MESSAGES -# -# Insert text from samples/relocated.cf if you need "user has moved" -# style bounce messages. Alternatively, you can bounce recipients -# with an SMTP server access table. See samples/smtpd.cf. - -# TRANSPORT MAP -# -# Insert text from samples/transport.cf if you need explicit routing. - -# ALIAS DATABASE -# -# The alias_maps parameter specifies the list of alias databases used -# by the local delivery agent. The default list is system dependent. -# -# On systems with NIS, the default is to search the local alias -# database, then the NIS alias database. See aliases(5) for syntax -# details. -# -# If you change the alias database, run "postalias /etc/postfix/aliases" (or -# wherever your system stores the mail alias file), or simply run -# "newaliases" to build the necessary DBM or DB file. -# -# It will take a minute or so before changes become visible. Use -# "postfix reload" to eliminate the delay. -# -#alias_maps = dbm:/etc/postfix/aliases -alias_maps = hash:/etc/postfix/aliases -#, hash:/var/lib/mailman/etc/aliases -#alias_maps = hash:/etc/postfix/aliases, nis:mail.aliases -#alias_maps = netinfo:/aliases - -# The alias_database parameter specifies the alias database(s) that -# are built with "newaliases" or "sendmail -bi". This is a separate -# configuration parameter, because alias_maps (see above) may specify -# tables that are not necessarily all under control by Postfix. -# -#alias_database = dbm:/etc/postfix/aliases -alias_database = hash:/etc/postfix/aliases -#alias_database = hash:/etc/postfix/aliases, hash:/opt/majordomo/aliases -#virtual_maps = hash:/var/lib/mailman/etc/virtual-mailman - -# ADDRESS EXTENSIONS (e.g., user+foo) -# -# The recipient_delimiter parameter specifies the separator between -# user names and address extensions (user+foo). See canonical(5), -# local(8), relocated(5) and virtual(5) for the effects this has on -# aliases, canonical, virtual, relocated and .forward file lookups. -# Basically, the software tries user+foo and .forward+foo before -# trying user and .forward. -# -#recipient_delimiter = + - -# DELIVERY TO MAILBOX -# -# The home_mailbox parameter specifies the optional pathname of a -# mailbox file relative to a user's home directory. The default -# mailbox file is /var/spool/mail/user or /var/mail/user. Specify -# "Maildir/" for qmail-style delivery (the / is required). -# -#home_mailbox = Mailbox -#home_mailbox = Maildir/ - -# The mail_spool_directory parameter specifies the directory where -# UNIX-style mailboxes are kept. The default setting depends on the -# system type. -# -#mail_spool_directory = /var/mail -#mail_spool_directory = /var/spool/mail - -# The mailbox_command parameter specifies the optional external -# command to use instead of mailbox delivery. The command is run as -# the recipient with proper HOME, SHELL and LOGNAME environment settings. -# Exception: delivery for root is done as $default_user. -# -# Other environment variables of interest: USER (recipient username), -# EXTENSION (address extension), DOMAIN (domain part of address), -# and LOCAL (the address localpart). -# -# Unlike other Postfix configuration parameters, the mailbox_command -# parameter is not subjected to $parameter substitutions. This is to -# make it easier to specify shell syntax (see example below). -# -# Avoid shell meta characters because they will force Postfix to run -# an expensive shell process. Procmail alone is expensive enough. -# -# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN -# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. -# -#mailbox_command = /usr/bin/procmail -a "$EXTENSION" -mailbox_command = /usr/bin/procmail -a $DOMAIN -d $LOGNAME - -# The mailbox_transport specifies the optional transport in master.cf -# to use after processing aliases and .forward files. This parameter -# has precedence over the mailbox_command, fallback_transport and -# luser_relay parameters. -# -# Specify a string of the form transport:nexthop, where transport is -# the name of a mail delivery transport defined in master.cf. The -# :nexthop part is optional. For more details see the sample transport -# configuration file. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -mailbox_transport = lmtp:unix:/public/lmtp -#mailbox_transport = cyrus - -# The fallback_transport specifies the optional transport in master.cf -# to use for recipients that are not found in the UNIX passwd database. -# This parameter has precedence over the luser_relay parameter. -# -# Specify a string of the form transport:nexthop, where transport is -# the name of a mail delivery transport defined in master.cf. The -# :nexthop part is optional. For more details see the sample transport -# configuration file. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must update the "local_recipient_maps" setting in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -#fallback_transport = lmtp:unix:/private/lmtp -fallback_transport = cyrus -#fallback_transport = - -# The luser_relay parameter specifies an optional destination address -# for unknown recipients. By default, mail for unknown@$mydestination -# and unknown@[$inet_interfaces] is returned as undeliverable. -# -# The following expansions are done on luser_relay: $user (recipient -# username), $shell (recipient shell), $home (recipient home directory), -# $recipient (full recipient address), $extension (recipient address -# extension), $domain (recipient domain), $local (entire recipient -# localpart), $recipient_delimiter. Specify ${name?value} or -# ${name:value} to expand value only when $name does (does not) exist. -# -# luser_relay works only for the default Postfix local delivery agent. -# -# NOTE: if you use this feature for accounts not in the UNIX password -# file, then you must specify "local_recipient_maps =" (i.e. empty) in -# the main.cf file, otherwise the SMTP server will reject mail for -# non-UNIX accounts with "User unknown in local recipient table". -# -#luser_relay = $user@other.host -#luser_relay = $local@other.host -#luser_relay = admin+$local - -# JUNK MAIL CONTROLS -# -# The controls listed here are only a very small subset. See the file -# samples/smtpd.cf for an elaborate list of anti-UCE controls. - -# The header_checks parameter specifies an optional table with patterns -# that each logical message header is matched against, including -# headers that span multiple physical lines. -# -# By default, these patterns also apply to MIME headers and to the -# headers of attached messages. With older Postfix versions, MIME and -# attached message headers were treated as body text. -# -# For details, see the samples/filter.cf file. -# -#header_checks = regexp:/etc/postfix/header_checks - -# FAST ETRN SERVICE -# -# Postfix maintains per-destination logfiles with information about -# deferred mail, so that mail can be flushed quickly with the SMTP -# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". -# -# By default, Postfix maintains deferred mail logfile information -# only for destinations that Postfix is willing to relay to (as -# specified in the relay_domains parameter). For other destinations, -# Postfix attempts to deliver ALL queued mail after receiving the -# SMTP "ETRN domain.tld" command, or after execution of "sendmail -# -qRdomain.tld". This can be slow when a lot of mail is queued. -# -# The fast_flush_domains parameter controls what destinations are -# eligible for this "fast ETRN/sendmail -qR" service. -# -#fast_flush_domains = $relay_domains -#fast_flush_domains = - -# SHOW SOFTWARE VERSION OR NOT -# -# The smtpd_banner parameter specifies the text that follows the 220 -# code in the SMTP server's greeting banner. Some people like to see -# the mail version advertised. By default, Postfix shows no version. -# -# You MUST specify $myhostname at the start of the text. That is an -# RFC requirement. Postfix itself does not care. -# -#smtpd_banner = $myhostname ESMTP $mail_name -#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) - -# The smtpd_etrn_restrictions parameter restricts what clients are -# allowed to issue the ETRN command. -# -# The Postfix ETRN command accepts only destinations that are eligible -# for the Postfix "fast flush" service. See the samples/flush.cf file -# for details. -# -# The default is to allow ETRN from any host. The following restrictions -# are available: -# -# reject_unknown_client: reject the request if the client hostname is unknown. -# permit_mynetworks: permit if the client address matches $mynetworks. -# check_client_access maptype:mapname -# look up client name, parent domains, client address, -# or networks obtained by stripping octets. -# see access(5) for possible lookup results. -# reject_rbl_client domain.tld: reject if the reverse client network -# address is listed in an A record under domain.tld. -# reject_rhsbl_client domain.tld: reject if the client hostname is listed -# in an A record under domain.tld. -# reject: reject the request. Place this at the end of a restriction. -# permit: permit the request. Place this at the end of a restriction. -# warn_if_reject: next restriction logs a warning instead of rejecting. -# -# You may also list any helo or client restrictions here (see below). -# -smtpd_etrn_restrictions = permit_mynetworks, reject - -# The smtpd_helo_required parameter optionally turns on the requirement -# that SMTP clients must introduce themselves at the beginning of an -# SMTP session. -# -smtpd_helo_required = yes - -# PARALLEL DELIVERY TO THE SAME DESTINATION -# -# How many parallel deliveries to the same user or domain? With local -# delivery, it does not make sense to do massively parallel delivery -# to the same user, because mailbox updates must happen sequentially, -# and expensive pipelines in .forward files can cause disasters when -# too many are run at the same time. With SMTP deliveries, 10 -# simultaneous connections to the same domain could be sufficient to -# raise eyebrows. -# -# Each message delivery transport has its XXX_destination_concurrency_limit -# parameter. The default is $default_destination_concurrency_limit for -# most delivery transports. For the local delivery agent the default is 2. - -#local_destination_concurrency_limit = 2 -#default_destination_concurrency_limit = 20 - -# INSTALL-TIME CONFIGURATION INFORMATION -readme_directory = /etc/postfix/README_FILES -sample_directory = /etc/postfix/samples -sendmail_path = /usr/sbin/sendmail -setgid_group = postdrop -command_directory = /usr/sbin -manpage_directory = /usr/share/man -daemon_directory = /usr/lib/postfix -newaliases_path = /usr/bin/newaliases -mailq_path = /usr/bin/mailq -queue_directory = /var/spool/postfix -mail_owner = postfix - -# SASL authenticated SMTPD -#smtpd_sasl_auth_enable = yes -#broken_sasl_auth_clients = yes -#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains -#smtpd_etrn_restrictions = permit_mynetworks, reject - -# Virtual users -virtual_maps = hash:/etc/postfix/virtual -virtual_alias_maps = ldap:vlocal, ldap:vforward - -# Delivery for Local, Local/Forward and Alias -vlocal_server_host = localhost -vlocal_search_base = dc=example,dc=com -vlocal_query_filter = (&(objectClass=gosaMailAccount)(gosaMailDeliveryMode=[*L*])(|(mail=%s)(gosaMailAlternateAddress=%s))) -vlocal_result_attribute = uid,gosaMailForwardingAddress,memberUid - -# Delivery when Forward only -vforward_server_host = localhost -vforward_search_base = dc=example,dc=com -vforward_query_filter = (&(objectClass=gosaMailAccount)(!(gosaMailDeliveryMode=[*L*]))(|(mail=%s)(gosaMailAlternateAddress=%s))) -vforward_result_attribute = gosaMailForwardingAddress - diff --git a/contrib/altlinux/etc/samba/smb.conf b/contrib/altlinux/etc/samba/smb.conf deleted file mode 100644 index 6910adb61..000000000 --- a/contrib/altlinux/etc/samba/smb.conf +++ /dev/null @@ -1,73 +0,0 @@ -#======================= Global Settings ===================================== -[global] - ldap server = localhost - ldap port = 389 - ldap suffix = dc=example,dc=com - ldap admin dn = cn=smbpasswd,ou=Apps,dc=example,dc=com - - ldap user suffix = ou=People - ldap group suffix = ou=Groups - ldap machine suffix = ou=Computers - ldap passwd sync = Yes - - workgroup = EXAMPLE - netbios name = PDC - server string = Samba server on %h (v. %v) - #realm = PDC.EXAMPLE.TLD - announce version = 4.8 - time server = Yes - - log file = /var/log/samba/log.%m - max log size = 50 - - security = user - hosts allow = 192.168.1. 127. - encrypt passwords = yes - null passwords = No - min passwd length = 6 - smb passwd file = /etc/samba/smbpasswd - socket options = TCP_NODELAY - os level = 254 - nt acl support = No - passdb backend = ldapsam:ldap://localhost - - domain master = yes - preferred master = yes - domain logons = yes - dns proxy = no - - #dos charset = CP866 - #unix charset = KOI8-R - #display charset = KOI8-R - use sendfile = yes - preserve case = Yes - short preserve case = Yes - case sensitive = Yes - hide dot files = Yes - -#============================ Share Definitions ============================== -[homes] - comment = Home Directory for '%u' - browseable = no - writable = yes - -# Un-comment the following and create the netlogon directory for Domain Logons -[netlogon] - comment = Network Logon Service - path = /var/lib/samba/netlogon - guest ok = yes - browsable = no - writable = no - -#Uncomment the following 2 lines if you would like your login scripts to -#be created dynamically by ntlogon (check that you have it in the correct -#location (the default of the ntlogon rpm available in contribs) -;root preexec = /usr/bin/ntlogon -u %U -g %G -o %a -d /var/lib/samba/netlogon -;root postexec = rm -f /var/lib/samba/netlogon/%U.bat - -# Un-comment the following to provide a specific roving profile share -# the default is to use the user's home directory -;[Profiles] -; path = /var/lib/samba/profiles -; browseable = no -; guest ok = yes diff --git a/contrib/altlinux/etc/sasl2/imapd.conf b/contrib/altlinux/etc/sasl2/imapd.conf deleted file mode 100644 index 993c2b0bd..000000000 --- a/contrib/altlinux/etc/sasl2/imapd.conf +++ /dev/null @@ -1,2 +0,0 @@ -pwcheck_method: saslauthd -mech_list: login plain diff --git a/contrib/altlinux/etc/sasl2/saslauthd.conf b/contrib/altlinux/etc/sasl2/saslauthd.conf deleted file mode 100644 index f7139036e..000000000 --- a/contrib/altlinux/etc/sasl2/saslauthd.conf +++ /dev/null @@ -1,74 +0,0 @@ -ldap_servers: ldap://localhost/ -ldap_bind_dn: cn=saslauthd,ou=Apps,dc=example,dc=com -ldap_bind_pw: saslauthd -ldap_version: 3 -# <2|3> -# Specify the LDAP protocol version to use. - -ldap_timeout: 5 -# Specify a number of seconds a search can take before timing out. - -ldap_time_limit: 5 -# Specify a number of seconds for a search request to complete. - -#ldap_deref: -# Specify how aliases dereferencing is handled during a search. - -#ldap_referrals: -# Specify whether or not the client should follow referrals. - -#ldap_restart: -# Specify whether or not LDAP I/O operations are automatically restarted -# if they abort prematurely. - -#ldap_cache_ttl: <0> -# Non zero enables client side caching. Cached results will expire after -# specified number seconds, e.g. 30. Use this option with care. -# OpenLDAP folks consider this feature experimental. - -#ldap_cache_mem: <0> -# If client side caching is enabled, the value specifies the cache size -# in bytes, e.g. 32768. - -#ldap_scope: -# Search scope. - -ldap_search_base: dc=iph,dc=ras,dc=ru -# Specify a starting point for the search. e.g. dc=foo,dc=com - -#ldap_auth_method: -# Specify an authentication method. The default 'bind' method uses the -# LDAP simple bind facility to verify the password. The custom method -# uses userPassword attribute to verify the password. Currently, {CRYPT} -# hash is supported. - -ldap_filter: (|(uid=%u)(cn=%u)) -# Specify a filter. Use the %u and %r tokens for the username and realm -# substitution. The %u token has to be used at minimum for the filter to -# be useful. If ldap_auth_method is 'bind', the filter will search for -# the DN (distinguished name) attribute. Otherwise, the search will look -# for the userPassword attribute. - -#ldap_debug: <0> -# Specify a debugging level in the OpenLDAP libraries. See -# ldap_set_option(3) for more (LDAP_OPT_DEBUG_LEVEL). -# -#ldap_tls_check_peer: -# Require and verify server certificate. If this option is yes, -# you must specify ldap_tls_cacert_file or ldap_tls_cacert_dir. - -#ldap_tls_cacert_file: -# File containing CA (Certificate Authority) certificate(s). - -#ldap_tls_cacert_dir: -# Path to directory with CA (Certificate Authority) certificates. - -#ldap_tls_ciphers: -# List of SSL/TLS ciphers to allow. The format of the string is -# described in ciphers(1). - -#ldap_tls_cert: -# File containing the client certificate. - -#ldap_tls_key: -# File containing the private client key. diff --git a/contrib/altlinux/etc/services b/contrib/altlinux/etc/services deleted file mode 100644 index 9251a4881..000000000 --- a/contrib/altlinux/etc/services +++ /dev/null @@ -1,557 +0,0 @@ -# /etc/services: -# $Id: services,v 1.1 2004/12/08 07:22:10 migor-guest Exp $ -# -# Network services, Internet style -# -# Note that it is presently the policy of IANA to assign a single well-known -# port number for both TCP and UDP; hence, most entries here have two entries -# even if the protocol doesn't support UDP operations. -# Updated from RFC 1700, ``Assigned Numbers'' (October 1994). Not all ports -# are included, only the more common ones. -# -# The latest IANA port assignments can be gotten from -# http://www.iana.org/assignments/port-numbers -# The Well Known Ports are those from 0 through 1023. -# The Registered Ports are those from 1024 through 49151 -# The Dynamic and/or Private Ports are those from 49152 through 65535 -# -# Each line describes one service, and is of the form: -# -# service-name port/protocol [aliases ...] [# comment] - -tcpmux 1/tcp # TCP port service multiplexer -tcpmux 1/udp # TCP port service multiplexer -rje 5/tcp # Remote Job Entry -rje 5/udp # Remote Job Entry -echo 7/tcp -echo 7/udp -discard 9/tcp sink null -discard 9/udp sink null -systat 11/tcp users # Active Users -systat 11/udp users # Active Users -daytime 13/tcp -daytime 13/udp -qotd 17/tcp quote # Quote of the Day -qotd 17/udp quote # Quote of the Day -msp 18/tcp # Message Send Protocol -msp 18/udp # Message Send Protocol -chargen 19/tcp ttytst source # Character Generator -chargen 19/udp ttytst source # Character Generator -ftp-data 20/tcp # File Transfer [Default Data] -ftp-data 20/udp # File Transfer [Default Data] -# 21 is registered to ftp, but also used by fsp -ftp 21/tcp # File Transfer [Control] -ftp 21/udp fsp fspd # File Transfer [Control] -ssh 22/tcp # SSH Remote Login Protocol -ssh 22/udp # SSH Remote Login Protocol -telnet 23/tcp -telnet 23/udp -# 24 - private mail system -smtp 25/tcp mail # Simple Mail Transfer Protocol -smtp 25/udp mail # Simple Mail Transfer Protocol -time 37/tcp timserver -time 37/udp timserver -rlp 39/tcp resource # Resource Location Protocol -rlp 39/udp resource # Resource Location Protocol -nameserver 42/tcp name # Host Name Server -nameserver 42/udp name # Host Name Server -nicname 43/tcp whois -nicname 43/udp whois -tacacs 49/tcp # Login Host Protocol (TACACS) -tacacs 49/udp # Login Host Protocol (TACACS) -re-mail-ck 50/tcp # Remote Mail Checking Protocol -re-mail-ck 50/udp # Remote Mail Checking Protocol -domain 53/tcp # Domain Name Server -domain 53/udp # Domain Name Server -whois++ 63/tcp -whois++ 63/udp -bootps 67/tcp # BOOTP server -bootps 67/udp -bootpc 68/tcp # BOOTP client -bootpc 68/udp -tftp 69/tcp # Trivial File Transfer -tftp 69/udp # Trivial File Transfer -gopher 70/tcp # Internet Gopher -gopher 70/udp -netrjs-1 71/tcp # Remote Job Service -netrjs-1 71/udp # Remote Job Service -netrjs-2 72/tcp # Remote Job Service -netrjs-2 72/udp # Remote Job Service -netrjs-3 73/tcp # Remote Job Service -netrjs-3 73/udp # Remote Job Service -netrjs-4 74/tcp # Remote Job Service -netrjs-4 74/udp # Remote Job Service -finger 79/tcp -finger 79/udp -http 80/tcp www www-http # World Wide Web HTTP -http 80/udp www www-http # HyperText Transfer Protocol -kerberos 88/tcp kerberos5 krb5 # Kerberos v5 -kerberos 88/udp kerberos5 krb5 # Kerberos v5 -supdup 95/tcp -supdup 95/udp -hostname 101/tcp hostnames # usually from sri-nic -hostname 101/udp hostnames # usually from sri-nic -iso-tsap 102/tcp tsap # part of ISODE. -csnet-ns 105/tcp cso # also used by CSO name server -csnet-ns 105/udp cso -# unfortunately the poppassd (Eudora) uses a port which has already -# been assigned to a different service. We list the poppassd as an -# alias here. This should work for programs asking for this service. -# (due to a bug in inetd the 3com-tsmux line is disabled) -#3com-tsmux 106/tcp poppassd -#3com-tsmux 106/udp poppassd -rtelnet 107/tcp # Remote Telnet -rtelnet 107/udp -pop2 109/tcp pop-2 postoffice # POP version 2 -pop2 109/udp pop-2 -pop3 110/tcp pop-3 # POP version 3 -pop3 110/udp pop-3 -sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP -sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP -auth 113/tcp authentication tap ident -auth 113/udp authentication tap ident -sftp 115/tcp -sftp 115/udp -uucp-path 117/tcp -uucp-path 117/udp -nntp 119/tcp readnews untp # USENET News Transfer Protocol -nntp 119/udp readnews untp # USENET News Transfer Protocol -ntp 123/tcp -ntp 123/udp # Network Time Protocol -pwdgen 129/tcp # Password Generator Protocol -pwdgen 129/udp # Password Generator Protocol -netbios-ns 137/tcp # NETBIOS Name Service -netbios-ns 137/udp -netbios-dgm 138/tcp # NETBIOS Datagram Service -netbios-dgm 138/udp -netbios-ssn 139/tcp # NETBIOS session service -netbios-ssn 139/udp -imap 143/tcp imap2 # Interim Mail Access Proto v2 -imap 143/udp imap2 -snmp 161/tcp # Simple Net Mgmt Proto -snmp 161/udp # Simple Net Mgmt Proto -snmptrap 162/udp snmp-trap # Traps for SNMP -cmip-man 163/tcp # ISO mgmt over IP (CMOT) -cmip-man 163/udp -cmip-agent 164/tcp -cmip-agent 164/udp -mailq 174/tcp # MAILQ -mailq 174/udp # MAILQ -xdmcp 177/tcp # X Display Mgr. Control Proto -xdmcp 177/udp -nextstep 178/tcp NeXTStep NextStep # NeXTStep window -nextstep 178/udp NeXTStep NextStep # server -bgp 179/tcp # Border Gateway Proto. -bgp 179/udp -prospero 191/tcp # Cliff Neuman's Prospero -prospero 191/udp -irc 194/tcp # Internet Relay Chat -irc 194/udp -smux 199/tcp # SNMP Unix Multiplexer -smux 199/udp -at-rtmp 201/tcp # AppleTalk routing -at-rtmp 201/udp -at-nbp 202/tcp # AppleTalk name binding -at-nbp 202/udp -at-echo 204/tcp # AppleTalk echo -at-echo 204/udp -at-zis 206/tcp # AppleTalk zone information -at-zis 206/udp -qmtp 209/tcp # Quick Mail Transfer Protocol -qmtp 209/udp # Quick Mail Transfer Protocol -z39.50 210/tcp z3950 wais # NISO Z39.50 database -z39.50 210/udp z3950 wais -ipx 213/tcp # IPX -ipx 213/udp -imap3 220/tcp # Interactive Mail Access -imap3 220/udp # Protocol v3 -link 245/tcp ttylink -link 245/ucp ttylink -fatserv 347/tcp # Fatmen Server -fatserv 347/udp # Fatmen Server -rsvp_tunnel 363/tcp -rsvp_tunnel 363/udp -rpc2portmap 369/tcp -rpc2portmap 369/udp # Coda portmapper -codaauth2 370/tcp -codaauth2 370/udp # Coda authentication server -ulistproc 372/tcp ulistserv # UNIX Listserv -ulistproc 372/udp ulistserv -ldap 389/tcp -ldap 389/udp -svrloc 427/tcp # Server Location Protocl -svrloc 427/udp # Server Location Protocl -mobileip-agent 434/tcp -mobileip-agent 434/udp -mobilip-mn 435/tcp -mobilip-mn 435/udp -https 443/tcp # MCom -https 443/udp # MCom -snpp 444/tcp # Simple Network Paging Protocol -snpp 444/udp # Simple Network Paging Protocol -microsoft-ds 445/tcp -microsoft-ds 445/udp -kpasswd 464/tcp kpwd # Kerberos "passwd" -kpasswd 464/udp kpwd # Kerberos "passwd" -photuris 468/tcp -photuris 468/udp -saft 487/tcp # Simple Asynchronous File Transfer -saft 487/udp # Simple Asynchronous File Transfer -gss-http 488/tcp -gss-http 488/udp -pim-rp-disc 496/tcp -pim-rp-disc 496/udp -isakmp 500/tcp -isakmp 500/udp -gdomap 538/tcp # GNUstep distributed objects -gdomap 538/udp # GNUstep distributed objects -iiop 535/tcp -iiop 535/udp -dhcpv6-client 546/tcp -dhcpv6-client 546/udp -dhcpv6-server 547/tcp -dhcpv6-server 547/udp -rtsp 554/tcp # Real Time Stream Control Protocol -rtsp 554/udp # Real Time Stream Control Protocol -nntps 563/tcp # NNTP over SSL -nntps 563/udp # NNTP over SSL -whoami 565/tcp -whoami 565/udp -submission 587/tcp msa # mail message submission -submission 587/udp msa # mail message submission -npmp-local 610/tcp dqs313_qmaster # npmp-local / DQS -npmp-local 610/udp dqs313_qmaster # npmp-local / DQS -npmp-gui 611/tcp dqs313_execd # npmp-gui / DQS -npmp-gui 611/udp dqs313_execd # npmp-gui / DQS -hmmp-ind 612/tcp dqs313_intercell # HMMP Indication / DQS -hmmp-ind 612/udp dqs313_intercell # HMMP Indication / DQS -ipp 631/tcp # Internet Printing Protocol -ipp 631/ucp # Internet Printing Protocol -ldaps 636/tcp # LDAP over SSL -ldaps 636/udp # LDAP over SSL -acap 674/tcp -acap 674/udp -ha-cluster 694/tcp # Heartbeat HA-cluster -ha-cluster 694/udp # Heartbeat HA-cluster -kerberos-adm 749/tcp # Kerberos `kadmin' (v5) -kerberos-iv 750/udp kerberos4 kerberos-sec kdc -kerberos-iv 750/tcp kerberos4 kerberos-sec kdc -webster 765/tcp # Network dictionary -webster 765/udp -phonebook 767/tcp # Network phonebook -phonebook 767/udp -rsync 873/tcp # rsync -rsync 873/udp # rsync -telnets 992/tcp -telnets 992/udp -imaps 993/tcp # IMAP over SSL -imaps 993/udp # IMAP over SSL -ircs 994/tcp -ircs 994/udp -pop3s 995/tcp # POP-3 over SSL -pop3s 995/udp # POP-3 over SSL - -# -# UNIX specific services -# -exec 512/tcp -biff 512/udp comsat -login 513/tcp -who 513/udp whod -shell 514/tcp cmd # no passwords used -syslog 514/udp -printer 515/tcp spooler # line printer spooler -printer 515/udp spooler # line printer spooler -talk 517/udp -ntalk 518/udp -utime 519/tcp unixtime -utime 519/udp unixtime -efs 520/tcp -router 520/udp route routed # RIP -ripng 521/tcp -ripng 521/udp -timed 525/tcp timeserver -timed 525/udp timeserver -tempo 526/tcp newdate -courier 530/tcp rpc -conference 531/tcp chat -netnews 532/tcp -netwall 533/udp # -for emergency broadcasts -uucp 540/tcp uucpd # uucp daemon -klogin 543/tcp # Kerberized `rlogin' (v5) -kshell 544/tcp krcmd # Kerberized `rsh' (v5) -afpovertcp 548/tcp # AFP over TCP -afpovertcp 548/udp # AFP over TCP -remotefs 556/tcp rfs_server rfs # Brunhoff remote filesystem - -# -# From ``PORT NUMBERS'': -# -#>REGISTERED PORT NUMBERS -#> -#>The Registered Ports are listed by the IANA and on most systems can be -#>used by ordinary user processes or programs executed by ordinary -#>users. -#> -#>Ports are used in the TCP [RFC793] to name the ends of logical -#>connections which carry long term conversations. For the purpose of -#>providing services to unknown callers, a service contact port is -#>defined. This list specifies the port used by the server process as -#>its contact port. -#> -#>The IANA registers uses of these ports as a convienence to the -#>community. -# -socks 1080/tcp # socks proxy server -socks 1080/udp # socks proxy server -h323hostcallsc 1300/tcp # H323 Host Call Secure -h323hostcallsc 1300/udp # H323 Host Call Secure -ms-sql-s 1433/tcp # Microsoft-SQL-Server -ms-sql-s 1433/udp # Microsoft-SQL-Server -ms-sql-m 1434/tcp # Microsoft-SQL-Monitor -ms-sql-m 1434/udp # Microsoft-SQL-Monitor -ica 1494/tcp # Citrix ICA Client -ica 1494/udp # Citrix ICA Client -wins 1512/tcp # Microsoft's Windows Internet Name Service -wins 1512/udp # Microsoft's Windows Internet Name Service -ingreslock 1524/tcp -ingreslock 1524/udp -prospero-np 1525/tcp # Prospero non-privileged -prospero-np 1525/udp -datametrics 1645/tcp old-radius # datametrics / old radius entry -datametrics 1645/udp old-radius # datametrics / old radius entry -sa-msg-port 1646/tcp old-radacct # sa-msg-port / old radacct entry -sa-msg-port 1646/udp old-radacct # sa-msg-port / old radacct entry -kermit 1649/tcp -kermit 1649/udp -l2tp 1701/tcp l2f -l2tp 1701/udp l2f -h323gatedisc 1718/tcp -h323gatedisc 1718/udp -h323gatestat 1719/tcp -h323gatestat 1719/udp -h323hostcall 1720/tcp -h323hostcall 1720/udp -tftp-mcast 1758/tcp -tftp-mcast 1758/udp -hello 1789/tcp -hello 1789/udp -radius 1812/tcp # Radius -radius 1812/udp # Radius -radius-acct 1813/tcp radacct # Radius Accounting -radius-acct 1813/udp radacct # Radius Accounting -mtp 1911/tcp # -mtp 1911/udp # -hsrp 1985/tcp # Cisco Hot Standby Router Protocol -hsrp 1985/udp # Cisco Hot Standby Router Protocol -licensedaemon 1986/tcp -licensedaemon 1986/udp -gdp-port 1997/tcp # Cisco Gateway Discovery Protocol -gdp-port 1997/udp # Cisco Gateway Discovery Protocol -nfs 2049/tcp nfsd -nfs 2049/udp nfsd -zephyr-srv 2102/tcp # Zephyr server -zephyr-srv 2102/udp # Zephyr server -zephyr-clt 2103/tcp # Zephyr serv-hm connection -zephyr-clt 2103/udp # Zephyr serv-hm connection -zephyr-hm 2104/tcp # Zephyr hostmanager -zephyr-hm 2104/udp # Zephyr hostmanager -cvspserver 2401/tcp # CVS client/server operations -cvspserver 2401/udp # CVS client/server operations -venus 2430/tcp # codacon port -venus 2430/udp # Venus callback/wbc interface -venus-se 2431/tcp # tcp side effects -venus-se 2431/udp # udp sftp side effect -codasrv 2432/tcp # not used -codasrv 2432/udp # server port -codasrv-se 2433/tcp # tcp side effects -codasrv-se 2433/udp # udp sftp side effectQ - -# Ports numbered 2600 through 2606 are used by the zebra package. The primary -# names are the registered names, and the zebra names are listed as aliases. -hpstgmgr 2600/tcp zebrasrv # HPSTGMGR -hpstgmgr 2600/udp # HPSTGMGR -discp-client 2601/tcp zebra # discp client -discp-client 2601/udp # discp client -discp-server 2602/tcp ripd # discp server -discp-server 2602/udp # discp server -servicemeter 2603/tcp ripngd # Service Meter -servicemeter 2603/udp # Service Meter -nsc-ccs 2604/tcp ospfd # NSC CCS -nsc-ccs 2604/udp # NSC CCS -nsc-posa 2605/tcp bgpd # NSC POSA -nsc-posa 2605/udp # NSC POSA -netmon 2606/tcp ospf6d # Dell Netmon -netmon 2606/udp # Dell Netmon - -corbaloc 2809/tcp # CORBA naming service locator -icpv2 3130/tcp # Internet Cache Protocol V2 (Squid) -icpv2 3130/udp # Internet Cache Protocol V2 (Squid) -mysql 3306/tcp # MySQL -mysql 3306/udp # MySQL -trnsprntproxy 3346/tcp # Trnsprnt Proxy -trnsprntproxy 3346/udp # Trnsprnt Proxy -rwhois 4321/tcp # Remote Who Is -rwhois 4321/udp # Remote Who Is -krb524 4444/tcp # Kerberos 5 to 4 ticket xlator -krb524 4444/udp # Kerberos 5 to 4 ticket xlator -rfe 5002/tcp # Radio Free Ethernet -rfe 5002/udp # Actually uses UDP only -jabber-client 5222/tcp # Jabber Client Connection -jabber-client 5222/udp # Jabber Client Connection -jabber-server 5269/tcp # Jabber Server Connection -jabber-server 5269/udp # Jabber Server Connection -cfengine 5308/tcp # CFengine -cfengine 5308/udp # CFengine -cvsup 5999/tcp CVSup # CVSup file transfer/John Polstra/FreeBSD -cvsup 5999/udp CVSup # CVSup file transfer/John Polstra/FreeBSD -x11 6000/tcp X # the X Window System -afs3-fileserver 7000/tcp # file server itself -afs3-fileserver 7000/udp # file server itself -afs3-callback 7001/tcp # callbacks to cache managers -afs3-callback 7001/udp # callbacks to cache managers -afs3-prserver 7002/tcp # users & groups database -afs3-prserver 7002/udp # users & groups database -afs3-vlserver 7003/tcp # volume location database -afs3-vlserver 7003/udp # volume location database -afs3-kaserver 7004/tcp # AFS/Kerberos authentication service -afs3-kaserver 7004/udp # AFS/Kerberos authentication service -afs3-volser 7005/tcp # volume managment server -afs3-volser 7005/udp # volume managment server -afs3-errors 7006/tcp # error interpretation service -afs3-errors 7006/udp # error interpretation service -afs3-bos 7007/tcp # basic overseer process -afs3-bos 7007/udp # basic overseer process -afs3-update 7008/tcp # server-to-server updater -afs3-update 7008/udp # server-to-server updater -afs3-rmtsys 7009/tcp # remote cache manager service -afs3-rmtsys 7009/udp # remote cache manager service -sd 9876/tcp # Session Director -sd 9876/udp # Session Director -amanda 10080/tcp # amanda backup services -amanda 10080/udp # amanda backup services -pgpkeyserver 11371/tcp # PGP/GPG public keyserver -pgpkeyserver 11371/udp # PGP/GPG public keyserver -h323callsigalt 11720/tcp # H323 Call Signal Alternate -h323callsigalt 11720/udp # H323 Call Signal Alternate - -# This port is registered as wnn6, but also used under the name "wnn4" by the -# FreeWnn package. -wnn6 22273/tcp wnn4 -wnn6 22273/ucp wnn4 - -quake 26000/tcp -quake 26000/udp -wnn6-ds 26208/tcp -wnn6-ds 26208/udp -traceroute 33434/tcp -traceroute 33434/udp - -# -# Datagram Delivery Protocol services -# -rtmp 1/ddp # Routing Table Maintenance Protocol -nbp 2/ddp # Name Binding Protocol -echo 4/ddp # AppleTalk Echo Protocol -zip 6/ddp # Zone Information Protocol - -# -# Kerberos (Project Athena/MIT) services -# Note that these are for Kerberos v4, and are unofficial. Sites running -# v4 should uncomment these and comment out the v5 entries above. -# -kerberos_master 751/udp # Kerberos authentication -kerberos_master 751/tcp # Kerberos authentication -passwd_server 752/udp # Kerberos passwd server -krbupdate 760/tcp kreg # Kerberos registration -kpop 1109/tcp # Pop with Kerberos -knetd 2053/tcp # Kerberos de-multiplexor - -# -# Kerberos 5 services, also not registered with IANA -# -krb5_prop 754/tcp # Kerberos slave propagation -eklogin 2105/tcp # Kerberos encrypted rlogin - -# -# Unregistered but necessary (for NetBSD) services -# -supfilesrv 871/tcp # SUP server -supfiledbg 1127/tcp # SUP debugging - -# -# Unregistered but useful/necessary other services -# -netstat 15/tcp # (was once asssigned, no more) -linuxconf 98/tcp # Linuxconf HTML access -poppassd 106/tcp # Eudora -poppassd 106/udp # Eudora -smtps 465/tcp # SMTP over SSL (TLS) -gii 616/tcp # gated interactive interface -omirr 808/tcp omirrd # online mirror -omirr 808/udp omirrd # online mirror -swat 901/tcp # Samba Web Administration Tool -rndc 953/tcp # rndc control sockets (BIND 9) -rndc 953/udp # rndc control sockets (BIND 9) -skkserv 1178/tcp # SKK Japanese input method -rmtcfg 1236/tcp # Gracilis Packeten remote config server -xtel 1313/tcp # french minitel -lotusnote 1352/tcp lotusnotes # Lotus notes -lotusnote 1352/udp lotusnotes # Lotus notes -support 1529/tcp prmsd gnatsd # GNATS, cygnus bug tracker -cfinger 2003/tcp # GNU Finger -ninstall 2150/tcp # ninstall service -ninstall 2150/udp # ninstall service -afbackup 2988/tcp # Afbackup system -afbackup 2988/udp # Afbackup system -squid 3128/tcp # squid web proxy -prsvp 3455/tcp # RSVP Port -prsvp 3455/udp # RSVP Port -postgres 5432/tcp # POSTGRES -postgres 5432/udp # POSTGRES -fax 4557/tcp # FAX transmission service (old) -hylafax 4559/tcp # HylaFAX client-server protocol (new) -sgi-dgl 5232/tcp # SGI Distributed Graphics -sgi-dgl 5232/udp -noclog 5354/tcp # noclogd with TCP (nocol) -noclog 5354/udp # noclogd with UDP (nocol) -hostmon 5355/tcp # hostmon uses TCP (nocol) -hostmon 5355/udp # hostmon uses TCP (nocol) -canna 5680/tcp -x11-ssh-offset 6010/tcp # SSH X11 forwarding offset -ircd 6667/tcp # Internet Relay Chat -ircd 6667/udp # Internet Relay Chat -xfs 7100/tcp # X font server -tircproxy 7666/tcp # Tircproxy -http-alt 8008/tcp -http-alt 8008/udp -webcache 8080/tcp # WWW caching service -webcache 8080/udp # WWW caching service -tproxy 8081/tcp # Transparent Proxy -tproxy 8081/udp # Transparent Proxy -jetdirect 9100/tcp laserjet hplj # -mandelspawn 9359/udp mandelbrot # network mandelbrot -kamanda 10081/tcp # amanda backup services (Kerberos) -kamanda 10081/udp # amanda backup services (Kerberos) -amandaidx 10082/tcp # amanda backup services -amidxtape 10083/tcp # amanda backup services -ladcca 14541/tcp # LADCCA client/server protocol -isdnlog 20011/tcp # isdn logging system -isdnlog 20011/udp # isdn logging system -vboxd 20012/tcp # voice box system -vboxd 20012/udp # voice box system -wnn4_Kr 22305/tcp # used by the kWnn package -wnn4_Cn 22289/tcp # used by the cWnn package -wnn4_Tw 22321/tcp # used by the tWnn package -binkp 24554/tcp # Binkley -binkp 24554/udp # Binkley -asp 27374/tcp # Address Search Protocol -asp 27374/udp # Address Search Protocol -tfido 60177/tcp # Ifmail -tfido 60177/udp # Ifmail -fido 60179/tcp # Ifmail -fido 60179/udp # Ifmail - -# Cyrus SIEVE service -sieve 2000/tcp -sieve 2000/udp diff --git a/contrib/altlinux/etc/squid/squid.conf b/contrib/altlinux/etc/squid/squid.conf deleted file mode 100644 index 5d2459b91..000000000 --- a/contrib/altlinux/etc/squid/squid.conf +++ /dev/null @@ -1,3303 +0,0 @@ - -# WELCOME TO SQUID 2 -# ------------------ -# -# This is the default Squid configuration file. You may wish -# to look at the Squid home page (http://www.squid-cache.org/) -# for the FAQ and other documentation. -# -# The default Squid config file shows what the defaults for -# various options happen to be. If you don't need to change the -# default, you shouldn't uncomment the line. Doing so may cause -# run-time problems. In some cases "none" refers to no default -# setting at all, while in other cases it refers to a valid -# option - the comments for that keyword indicate if this is the -# case. -# - - -# NETWORK OPTIONS -# ----------------------------------------------------------------------------- - -# TAG: http_port -# Usage: port -# hostname:port -# 1.2.3.4:port -# -# The socket addresses where Squid will listen for HTTP client -# requests. You may specify multiple socket addresses. -# There are three forms: port alone, hostname with port, and -# IP address with port. If you specify a hostname or IP -# address, then Squid binds the socket to that specific -# address. This replaces the old 'tcp_incoming_address' -# option. Most likely, you do not need to bind to a specific -# address, so you can use the port number alone. -# -# The default port number is 3128. -# -# If you are running Squid in accelerator mode, then you -# probably want to listen on port 80 also, or instead. -# -# The -a command line option will override the *first* port -# number listed here. That option will NOT override an IP -# address, however. -# -# You may specify multiple socket addresses on multiple lines. -# -# If you run Squid on a dual-homed machine with an internal -# and an external interface then we recommend you to specify the -# internal address:port in http_port. This way Squid will only be -# visible on the internal address. -# -#Default: -# http_port 3128 - -# TAG: https_port -# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...] -# -# The socket address where Squid will listen for HTTPS client -# requests. -# -# This is really only useful for situations where you are running -# squid in accelerator mode and you want to do the SSL work at the -# accelerator level. -# -# You may specify multiple socket addresses on multiple lines, -# each with their own SSL certificate and/or options. -# -# Options: -# -# cert= Path to SSL certificate (PEM format) -# -# key= Path to SSL private key file (PEM format) -# if not specified, the certificate file is -# assumed to be a combined certificate and -# key file -# -# version= The version of SSL/TLS supported -# 1 automatic (default) -# 2 SSLv2 only -# 3 SSLv3 only -# 4 TLSv1 only -# -# cipher= Colon separated list of supported ciphers -# -# options= Varions SSL engine options. The most important -# being: -# NO_SSLv2 Disallow the use of SSLv2 -# NO_SSLv3 Disallow the use of SSLv3 -# NO_TLSv1 Disallow the use of TLSv1 -# See src/ssl_support.c or OpenSSL documentation -# for a more complete list. -# -#Default: -# none - -# TAG: ssl_unclean_shutdown -# Some browsers (especially MSIE) bugs out on SSL shutdown -# messages. -# -#Default: -# ssl_unclean_shutdown off - -# TAG: icp_port -# The port number where Squid sends and receives ICP queries to -# and from neighbor caches. Default is 3130. To disable use -# "0". May be overridden with -u on the command line. -# -#Default: -# icp_port 3130 - -# TAG: htcp_port -# Note: This option is only available if Squid is rebuilt with the -# --enable-htcp option -# -# The port number where Squid sends and receives HTCP queries to -# and from neighbor caches. Default is 4827. To disable use -# "0". -# -#Default: -# htcp_port 4827 - -# TAG: mcast_groups -# This tag specifies a list of multicast groups which your server -# should join to receive multicasted ICP queries. -# -# NOTE! Be very careful what you put here! Be sure you -# understand the difference between an ICP _query_ and an ICP -# _reply_. This option is to be set only if you want to RECEIVE -# multicast queries. Do NOT set this option to SEND multicast -# ICP (use cache_peer for that). ICP replies are always sent via -# unicast, so this option does not affect whether or not you will -# receive replies from multicast group members. -# -# You must be very careful to NOT use a multicast address which -# is already in use by another group of caches. -# -# If you are unsure about multicast, please read the Multicast -# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). -# -# Usage: mcast_groups 239.128.16.128 224.0.1.20 -# -# By default, Squid doesn't listen on any multicast groups. -# -#Default: -# none - -# TAG: udp_incoming_address -# TAG: udp_outgoing_address -# udp_incoming_address is used for the ICP socket receiving packets -# from other caches. -# udp_outgoing_address is used for ICP packets sent out to other -# caches. -# -# The default behavior is to not bind to any specific address. -# -# A udp_incoming_address value of 0.0.0.0 indicates that Squid should -# listen for UDP messages on all available interfaces. -# -# If udp_outgoing_address is set to 255.255.255.255 (the default) -# then it will use the same socket as udp_incoming_address. Only -# change this if you want to have ICP queries sent using another -# address than where this Squid listens for ICP queries from other -# caches. -# -# NOTE, udp_incoming_address and udp_outgoing_address can not -# have the same value since they both use port 3130. -# -#Default: -# udp_incoming_address 0.0.0.0 -# udp_outgoing_address 255.255.255.255 - - -# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM -# ----------------------------------------------------------------------------- - -# TAG: cache_peer -# To specify other caches in a hierarchy, use the format: -# -# cache_peer hostname type http_port icp_port -# -# For example, -# -# # proxy icp -# # hostname type port port options -# # -------------------- -------- ----- ----- ----------- -# cache_peer parent.foo.net parent 3128 3130 [proxy-only] -# cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] -# cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] -# -# type: either 'parent', 'sibling', or 'multicast'. -# -# proxy_port: The port number where the cache listens for proxy -# requests. -# -# icp_port: Used for querying neighbor caches about -# objects. To have a non-ICP neighbor -# specify '7' for the ICP port and make sure the -# neighbor machine has the UDP echo port -# enabled in its /etc/inetd.conf file. -# -# options: proxy-only -# weight=n -# ttl=n -# no-query -# default -# round-robin -# multicast-responder -# closest-only -# no-digest -# no-netdb-exchange -# no-delay -# login=user:password | PASS | *:password -# connect-timeout=nn -# digest-url=url -# allow-miss -# max-conn -# htcp -# carp-load-factor -# -# use 'proxy-only' to specify that objects fetched -# from this cache should not be saved locally. -# -# use 'weight=n' to specify a weighted parent. -# The weight must be an integer. The default weight -# is 1, larger weights are favored more. -# -# use 'ttl=n' to specify a IP multicast TTL to use -# when sending an ICP queries to this address. -# Only useful when sending to a multicast group. -# Because we don't accept ICP replies from random -# hosts, you must configure other group members as -# peers with the 'multicast-responder' option below. -# -# use 'no-query' to NOT send ICP queries to this -# neighbor. -# -# use 'default' if this is a parent cache which can -# be used as a "last-resort." You should probably -# only use 'default' in situations where you cannot -# use ICP with your parent cache(s). -# -# use 'round-robin' to define a set of parents which -# should be used in a round-robin fashion in the -# absence of any ICP queries. -# -# 'multicast-responder' indicates that the named peer -# is a member of a multicast group. ICP queries will -# not be sent directly to the peer, but ICP replies -# will be accepted from it. -# -# 'closest-only' indicates that, for ICP_OP_MISS -# replies, we'll only forward CLOSEST_PARENT_MISSes -# and never FIRST_PARENT_MISSes. -# -# use 'no-digest' to NOT request cache digests from -# this neighbor. -# -# 'no-netdb-exchange' disables requesting ICMP -# RTT database (NetDB) from the neighbor. -# -# use 'no-delay' to prevent access to this neighbor -# from influencing the delay pools. -# -# use 'login=user:password' if this is a personal/workgroup -# proxy and your parent requires proxy authentication. -# Note: The string can include URL escapes (i.e. %20 for -# spaces). This also means that % must be written as %%. -# -# use 'login=PASS' if users must authenticate against -# the upstream proxy. This will pass the users credentials -# as they are to the peer proxy. This only works for the -# Basic HTTP authentication sheme. Note: To combine this -# with proxy_auth both proxies must share the same user -# database as HTTP only allows for one proxy login. -# Also be warned that this will expose your users proxy -# password to the peer. USE WITH CAUTION -# -# use 'login=*:password' to pass the username to the -# upstream cache, but with a fixed password. This is meant -# to be used when the peer is in another administrative -# domain, but it is still needed to identify each user. -# The star can optionally be followed by some extra -# information which is added to the username. This can -# be used to identify this proxy to the peer, similar to -# the login=username:password option above. -# -# use 'connect-timeout=nn' to specify a peer -# specific connect timeout (also see the -# peer_connect_timeout directive) -# -# use 'digest-url=url' to tell Squid to fetch the cache -# digest (if digests are enabled) for this host from -# the specified URL rather than the Squid default -# location. -# -# use 'allow-miss' to disable Squid's use of only-if-cached -# when forwarding requests to siblings. This is primarily -# useful when icp_hit_stale is used by the sibling. To -# extensive use of this option may result in forwarding -# loops, and you should avoid having two-way peerings -# with this option. (for example to deny peer usage on -# requests from peer by denying cache_peer_access if the -# source is a peer) -# -# use 'max-conn' to limit the amount of connections Squid -# may open to this peer. -# -# use 'htcp' to send HTCP, instead of ICP, queries -# to the neighbor. You probably also want to -# set the "icp port" to 4827 instead of 3130. -# -# use 'carp-load-factor=f' to define a parent -# cache as one participating in a CARP array. -# The 'f' values for all CARP parents must add -# up to 1.0. -# -# -# NOTE: non-ICP/HTCP neighbors must be specified as 'parent'. -# -#Default: -# none - -# TAG: cache_peer_domain -# Use to limit the domains for which a neighbor cache will be -# queried. Usage: -# -# cache_peer_domain cache-host domain [domain ...] -# cache_peer_domain cache-host !domain -# -# For example, specifying -# -# cache_peer_domain parent.foo.net .edu -# -# has the effect such that UDP query packets are sent to -# 'bigserver' only when the requested object exists on a -# server in the .edu domain. Prefixing the domainname -# with '!' means that the cache will be queried for objects -# NOT in that domain. -# -# NOTE: * Any number of domains may be given for a cache-host, -# either on the same or separate lines. -# * When multiple domains are given for a particular -# cache-host, the first matched domain is applied. -# * Cache hosts with no domain restrictions are queried -# for all requests. -# * There are no defaults. -# * There is also a 'cache_peer_access' tag in the ACL -# section. -# -#Default: -# none - -# TAG: neighbor_type_domain -# usage: neighbor_type_domain neighbor parent|sibling domain domain ... -# -# Modifying the neighbor type for specific domains is now -# possible. You can treat some domains differently than the the -# default neighbor type specified on the 'cache_peer' line. -# Normally it should only be necessary to list domains which -# should be treated differently because the default neighbor type -# applies for hostnames which do not match domains listed here. -# -#EXAMPLE: -# cache_peer parent cache.foo.org 3128 3130 -# neighbor_type_domain cache.foo.org sibling .com .net -# neighbor_type_domain cache.foo.org sibling .au .de -# -#Default: -# none - -# TAG: icp_query_timeout (msec) -# Normally Squid will automatically determine an optimal ICP -# query timeout value based on the round-trip-time of recent ICP -# queries. If you want to override the value determined by -# Squid, set this 'icp_query_timeout' to a non-zero value. This -# value is specified in MILLISECONDS, so, to use a 2-second -# timeout (the old default), you would write: -# -# icp_query_timeout 2000 -# -#Default: -# icp_query_timeout 0 - -# TAG: maximum_icp_query_timeout (msec) -# Normally the ICP query timeout is determined dynamically. But -# sometimes it can lead to very large values (say 5 seconds). -# Use this option to put an upper limit on the dynamic timeout -# value. Do NOT use this option to always use a fixed (instead -# of a dynamic) timeout value. To set a fixed timeout see the -# 'icp_query_timeout' directive. -# -#Default: -# maximum_icp_query_timeout 2000 - -# TAG: mcast_icp_query_timeout (msec) -# For Multicast peers, Squid regularly sends out ICP "probes" to -# count how many other peers are listening on the given multicast -# address. This value specifies how long Squid should wait to -# count all the replies. The default is 2000 msec, or 2 -# seconds. -# -#Default: -# mcast_icp_query_timeout 2000 - -# TAG: dead_peer_timeout (seconds) -# This controls how long Squid waits to declare a peer cache -# as "dead." If there are no ICP replies received in this -# amount of time, Squid will declare the peer dead and not -# expect to receive any further ICP replies. However, it -# continues to send ICP queries, and will mark the peer as -# alive upon receipt of the first subsequent ICP reply. -# -# This timeout also affects when Squid expects to receive ICP -# replies from peers. If more than 'dead_peer' seconds have -# passed since the last ICP reply was received, Squid will not -# expect to receive an ICP reply on the next query. Thus, if -# your time between requests is greater than this timeout, you -# will see a lot of requests sent DIRECT to origin servers -# instead of to your parents. -# -#Default: -# dead_peer_timeout 10 seconds - -# TAG: hierarchy_stoplist -# A list of words which, if found in a URL, cause the object to -# be handled directly by this cache. In other words, use this -# to not query neighbor caches for certain objects. You may -# list this option multiple times. -#We recommend you to use at least the following line. -hierarchy_stoplist cgi-bin ? - -# TAG: no_cache -# A list of ACL elements which, if matched, cause the request to -# not be satisfied from the cache and the reply to not be cached. -# In other words, use this to force certain objects to never be cached. -# -# You must use the word 'DENY' to indicate the ACL names which should -# NOT be cached. -# -#We recommend you to use the following two lines. -acl QUERY urlpath_regex cgi-bin \? -no_cache deny QUERY - - -# OPTIONS WHICH AFFECT THE CACHE SIZE -# ----------------------------------------------------------------------------- - -# TAG: cache_mem (bytes) -# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE. -# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL -# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER -# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS. -# -# 'cache_mem' specifies the ideal amount of memory to be used -# for: -# * In-Transit objects -# * Hot Objects -# * Negative-Cached objects -# -# Data for these objects are stored in 4 KB blocks. This -# parameter specifies the ideal upper limit on the total size of -# 4 KB blocks allocated. In-Transit objects take the highest -# priority. -# -# In-transit objects have priority over the others. When -# additional space is needed for incoming data, negative-cached -# and hot objects will be released. In other words, the -# negative-cached and hot objects will fill up any unused space -# not needed for in-transit objects. -# -# If circumstances require, this limit will be exceeded. -# Specifically, if your incoming request rate requires more than -# 'cache_mem' of memory to hold in-transit objects, Squid will -# exceed this limit to satisfy the new requests. When the load -# decreases, blocks will be freed until the high-water mark is -# reached. Thereafter, blocks will be used to store hot -# objects. -# -#Default: -# cache_mem 8 MB - -# TAG: cache_swap_low (percent, 0-100) -# TAG: cache_swap_high (percent, 0-100) -# -# The low- and high-water marks for cache object replacement. -# Replacement begins when the swap (disk) usage is above the -# low-water mark and attempts to maintain utilization near the -# low-water mark. As swap utilization gets close to high-water -# mark object eviction becomes more aggressive. If utilization is -# close to the low-water mark less replacement is done each time. -# -# Defaults are 90% and 95%. If you have a large cache, 5% could be -# hundreds of MB. If this is the case you may wish to set these -# numbers closer together. -# -#Default: -# cache_swap_low 90 -# cache_swap_high 95 - -# TAG: maximum_object_size (bytes) -# Objects larger than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 4MB. If -# you wish to get a high BYTES hit ratio, you should probably -# increase this (one 32 MB object hit counts for 3200 10KB -# hits). If you wish to increase speed more than your want to -# save bandwidth you should leave this low. -# -# NOTE: if using the LFUDA replacement policy you should increase -# this value to maximize the byte hit rate improvement of LFUDA! -# See replacement_policy below for a discussion of this policy. -# -#Default: -# maximum_object_size 4096 KB - -# TAG: minimum_object_size (bytes) -# Objects smaller than this size will NOT be saved on disk. The -# value is specified in kilobytes, and the default is 0 KB, which -# means there is no minimum. -# -#Default: -# minimum_object_size 0 KB - -# TAG: maximum_object_size_in_memory (bytes) -# Objects greater than this size will not be attempted to kept in -# the memory cache. This should be set high enough to keep objects -# accessed frequently in memory to improve performance whilst low -# enough to keep larger objects from hoarding cache_mem . -# -#Default: -# maximum_object_size_in_memory 8 KB - -# TAG: ipcache_size (number of entries) -# TAG: ipcache_low (percent) -# TAG: ipcache_high (percent) -# The size, low-, and high-water marks for the IP cache. -# -#Default: -# ipcache_size 1024 -# ipcache_low 90 -# ipcache_high 95 - -# TAG: fqdncache_size (number of entries) -# Maximum number of FQDN cache entries. -# -#Default: -# fqdncache_size 1024 - -# TAG: cache_replacement_policy -# The cache replacement policy parameter determines which -# objects are evicted (replaced) when disk space is needed. -# -# lru : Squid's original list based LRU policy -# heap GDSF : Greedy-Dual Size Frequency -# heap LFUDA: Least Frequently Used with Dynamic Aging -# heap LRU : LRU policy implemented using a heap -# -# Applies to any cache_dir lines listed below this. -# -# The LRU policies keeps recently referenced objects. -# -# The heap GDSF policy optimizes object hit rate by keeping smaller -# popular objects in cache so it has a better chance of getting a -# hit. It achieves a lower byte hit rate than LFUDA though since -# it evicts larger (possibly popular) objects. -# -# The heap LFUDA policy keeps popular objects in cache regardless of -# their size and thus optimizes byte hit rate at the expense of -# hit rate since one large, popular object will prevent many -# smaller, slightly less popular objects from being cached. -# -# Both policies utilize a dynamic aging mechanism that prevents -# cache pollution that can otherwise occur with frequency-based -# replacement policies. -# -# NOTE: if using the LFUDA replacement policy you should increase -# the value of maximum_object_size above its default of 4096 KB to -# to maximize the potential byte hit rate improvement of LFUDA. -# -# For more information about the GDSF and LFUDA cache replacement -# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html -# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. -# -#Default: -# cache_replacement_policy lru - -# TAG: memory_replacement_policy -# The memory replacement policy parameter determines which -# objects are purged from memory when memory space is needed. -# -# See cache_replacement_policy for details. -# -#Default: -# memory_replacement_policy lru - - -# LOGFILE PATHNAMES AND CACHE DIRECTORIES -# ----------------------------------------------------------------------------- - -# TAG: cache_dir -# Usage: -# -# cache_dir Type Directory-Name Fs-specific-data [options] -# -# You can specify multiple cache_dir lines to spread the -# cache among different disk partitions. -# -# Type specifies the kind of storage system to use. Only "ufs" -# is built by default. To eanble any of the other storage systems -# see the --enable-storeio configure option. -# -# 'Directory' is a top-level directory where cache swap -# files will be stored. If you want to use an entire disk -# for caching, then this can be the mount-point directory. -# The directory must exist and be writable by the Squid -# process. Squid will NOT create this directory for you. -# -# The ufs store type: -# -# "ufs" is the old well-known Squid storage format that has always -# been there. -# -# cache_dir ufs Directory-Name Mbytes L1 L2 [options] -# -# 'Mbytes' is the amount of disk space (MB) to use under this -# directory. The default is 100 MB. Change this to suit your -# configuration. Do NOT put the size of your disk drive here. -# Instead, if you want Squid to use the entire disk drive, -# subtract 20% and use that value. -# -# 'Level-1' is the number of first-level subdirectories which -# will be created under the 'Directory'. The default is 16. -# -# 'Level-2' is the number of second-level subdirectories which -# will be created under each first-level directory. The default -# is 256. -# -# The aufs store type: -# -# "aufs" uses the same storage format as "ufs", utilizing -# POSIX-threads to avoid blocking the main Squid process on -# disk-I/O. This was formerly known in Squid as async-io. -# -# cache_dir aufs Directory-Name Mbytes L1 L2 [options] -# -# see argument descriptions under ufs above -# -# The diskd store type: -# -# "diskd" uses the same storage format as "ufs", utilizing a -# separate process to avoid blocking the main Squid process on -# disk-I/O. -# -# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] -# -# see argument descriptions under ufs above -# -# Q1 specifies the number of unacknowledged I/O requests when Squid -# stops opening new files. If this many messages are in the queues, -# Squid won't open new files. Default is 64 -# -# Q2 specifies the number of unacknowledged messages when Squid -# starts blocking. If this many messages are in the queues, -# Squid blocks until it recevies some replies. Default is 72 -# -# The coss store type: -# -# block-size=n defines the "block size" for COSS cache_dir's. -# Squid uses file numbers as block numbers. Since file numbers -# are limited to 24 bits, the block size determines the maximum -# size of the COSS partition. The default is 512 bytes, which -# leads to a maximum cache_dir size of 512<<24, or 8 GB. Note -# that you should not change the coss block size after Squid -# has written some objects to the cache_dir. -# -# Common options: -# -# read-only, this cache_dir is read only. -# -# max-size=n, refers to the max object size this storedir supports. -# It is used to initially choose the storedir to dump the object. -# Note: To make optimal use of the max-size limits you should order -# the cache_dir lines with the smallest max-size value first and the -# ones with no max-size specification last. -# -# Note that for coss, max-size must be less than COSS_MEMBUF_SZ -# (hard coded at 1 MB). -# -#Default: -# cache_dir ufs /var/spool/squid 100 16 256 - -# TAG: cache_access_log -# Logs the client request activity. Contains an entry for -# every HTTP and ICP queries received. To disable, enter "none". -# -#Default: -# cache_access_log /var/log/squid/access.log - -# TAG: cache_log -# Cache logging file. This is where general information about -# your cache's behavior goes. You can increase the amount of data -# logged to this file with the "debug_options" tag below. -# -#Default: -# cache_log /var/log/squid/cache.log - -# TAG: cache_store_log -# Logs the activities of the storage manager. Shows which -# objects are ejected from the cache, and which objects are -# saved and for how long. To disable, enter "none". There are -# not really utilities to analyze this data, so you can safely -# disable it. -# -#Default: -# cache_store_log /var/log/squid/store.log - -# TAG: cache_swap_log -# Location for the cache "swap.log." This log file holds the -# metadata of objects saved on disk. It is used to rebuild the -# cache during startup. Normally this file resides in each -# 'cache_dir' directory, but you may specify an alternate -# pathname here. Note you must give a full filename, not just -# a directory. Since this is the index for the whole object -# list you CANNOT periodically rotate it! -# -# If %s can be used in the file name then it will be replaced with a -# a representation of the cache_dir name where each / is replaced -# with '.'. This is needed to allow adding/removing cache_dir -# lines when cache_swap_log is being used. -# -# If have more than one 'cache_dir', and %s is not used in the name -# then these swap logs will have names such as: -# -# cache_swap_log.00 -# cache_swap_log.01 -# cache_swap_log.02 -# -# The numbered extension (which is added automatically) -# corresponds to the order of the 'cache_dir' lines in this -# configuration file. If you change the order of the 'cache_dir' -# lines in this file, then these log files will NOT correspond to -# the correct 'cache_dir' entry (unless you manually rename -# them). We recommend that you do NOT use this option. It is -# better to keep these log files in each 'cache_dir' directory. -# -#Default: -# none - -# TAG: emulate_httpd_log on|off -# The Cache can emulate the log file format which many 'httpd' -# programs use. To disable/enable this emulation, set -# emulate_httpd_log to 'off' or 'on'. The default -# is to use the native log format since it includes useful -# information that Squid-specific log analyzers use. -# -#Default: -# emulate_httpd_log off - -# TAG: log_ip_on_direct on|off -# Log the destination IP address in the hierarchy log tag when going -# direct. Earlier Squid versions logged the hostname here. If you -# prefer the old way set this to off. -# -#Default: -# log_ip_on_direct on - -# TAG: mime_table -# Pathname to Squid's MIME table. You shouldn't need to change -# this, but the default file contains examples and formatting -# information if you do. -# -#Default: -# mime_table /etc/squid/mime.conf - -# TAG: log_mime_hdrs on|off -# The Cache can record both the request and the response MIME -# headers for each HTTP transaction. The headers are encoded -# safely and will appear as two bracketed fields at the end of -# the access log (for either the native or httpd-emulated log -# formats). To enable this logging set log_mime_hdrs to 'on'. -# -#Default: -# log_mime_hdrs off - -# TAG: useragent_log -# Squid will write the User-Agent field from HTTP requests -# to the filename specified here. By default useragent_log -# is disabled. -# -#Default: -# none - -# TAG: referer_log -# Note: This option is only available if Squid is rebuilt with the -# --enable-referer-log option -# -# Squid will write the Referer field from HTTP requests to the -# filename specified here. By default referer_log is disabled. -# -#Default: -# none - -# TAG: pid_filename -# A filename to write the process-id to. To disable, enter "none". -# -#Default: -# pid_filename /var/run/squid.pid - -# TAG: debug_options -# Logging options are set as section,level where each source file -# is assigned a unique section. Lower levels result in less -# output, Full debugging (level 9) can result in a very large -# log file, so be careful. The magic word "ALL" sets debugging -# levels for all sections. We recommend normally running with -# "ALL,1". -# -#Default: -# debug_options ALL,1 - -# TAG: log_fqdn on|off -# Turn this on if you wish to log fully qualified domain names -# in the access.log. To do this Squid does a DNS lookup of all -# IP's connecting to it. This can (in some situations) increase -# latency, which makes your cache seem slower for interactive -# browsing. -# -#Default: -# log_fqdn off - -# TAG: client_netmask -# A netmask for client addresses in logfiles and cachemgr output. -# Change this to protect the privacy of your cache clients. -# A netmask of 255.255.255.0 will log all IP's in that range with -# the last digit set to '0'. -# -#Default: -# client_netmask 255.255.255.255 - - -# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS -# ----------------------------------------------------------------------------- - -# TAG: ftp_user -# If you want the anonymous login password to be more informative -# (and enable the use of picky ftp servers), set this to something -# reasonable for your domain, like wwwuser@somewhere.net -# -# The reason why this is domainless by default is that the -# request can be made on the behalf of a user in any domain, -# depending on how the cache is used. -# Some ftp server also validate that the email address is valid -# (for example perl.com). -# -#Default: -# ftp_user Squid@ - -# TAG: ftp_list_width -# Sets the width of ftp listings. This should be set to fit in -# the width of a standard browser. Setting this too small -# can cut off long filenames when browsing ftp sites. -# -#Default: -# ftp_list_width 32 - -# TAG: ftp_passive -# If your firewall does not allow Squid to use passive -# connections, then turn off this option. -# -#Default: -# ftp_passive on - -# TAG: ftp_sanitycheck -# For security and data integrity reasons Squid by default performs -# sanity checks of the addresses of FTP data connections ensure the -# data connection is to the requested server. If you need to allow -# FTP connections to servers using another IP address for the data -# connection then turn this off. -# -#Default: -# ftp_sanitycheck on - -# TAG: ftp_telnet_protocol -# The FTP protocol is officially defined to use the telnet protocol -# as transport channel for the control connection. However, many -# implemenations are broken and does not respect this aspect of -# the FTP protocol. -# -# If you have trouble accessing files with ASCII code 255 in the -# path or similar problems involving this ASCII code then you can -# try setting this directive to off. If that helps report to the -# operator of the FTP server in question that their FTP server -# is broken and does not follow the FTP standard. -# -#Default: -# ftp_telnet_protocol on - -# TAG: cache_dns_program -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Specify the location of the executable for dnslookup process. -# -#Default: -# cache_dns_program /usr/lib/squid/dnsserver - -# TAG: dns_children -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# The number of processes spawn to service DNS name lookups. -# For heavily loaded caches on large servers, you should -# probably increase this value to at least 10. The maximum -# is 32. The default is 5. -# -# You must have at least one dnsserver process. -# -#Default: -# dns_children 5 - -# TAG: dns_retransmit_interval -# Initial retransmit interval for DNS queries. The interval is -# doubled each time all configured DNS servers have been tried. -# -# -#Default: -# dns_retransmit_interval 5 seconds - -# TAG: dns_timeout -# DNS Query timeout. If no response is received to a DNS query -# within this time then all DNS servers for the queried domain -# is assumed to be unavailable. -# -#Default: -# dns_timeout 2 minutes - -# TAG: dns_defnames on|off -# Note: This option is only available if Squid is rebuilt with the -# --disable-internal-dns option -# -# Normally the 'dnsserver' disables the RES_DEFNAMES resolver -# option (see res_init(3)). This prevents caches in a hierarchy -# from interpreting single-component hostnames locally. To allow -# dnsserver to handle single-component names, enable this -# option. -# -#Default: -# dns_defnames off - -# TAG: dns_nameservers -# Use this if you want to specify a list of DNS name servers -# (IP addresses) to use instead of those given in your -# /etc/resolv.conf file. -# On Windows platforms, if no value is specified here or in -# the /etc/resolv.conf file, the list of DNS name servers are -# taken from the Windows registry, both static and dynamic DHCP -# configurations are supported. -# -# Example: dns_nameservers 10.0.0.1 192.172.0.4 -# -#Default: -# none - -# TAG: hosts_file -# Location of the host-local IP name-address associations -# database. Most Operating Systems have such a file: under -# Un*X it's by default in /etc/hosts MS-Windows NT/2000 places -# that in %SystemRoot%(by default -# c:\winnt)\system32\drivers\etc\hosts, while Windows 9x/ME -# places that in %windir%(usually c:\windows)\hosts -# -# The file contains newline-separated definitions, in the -# form ip_address_in_dotted_form name [name ...] names are -# whitespace-separated. lines beginnng with an hash (#) -# character are comments. -# -# The file is checked at startup and upon configuration. If -# set to 'none', it won't be checked. If append_domain is -# used, that domain will be added to domain-local (i.e. not -# containing any dot character) host definitions. -# -#Default: -# hosts_file /etc/hosts - -# TAG: diskd_program -# Specify the location of the diskd executable. -# Note that this is only useful if you have compiled in -# diskd as one of the store io modules. -# -#Default: -# diskd_program /usr/lib/squid/diskd - -# TAG: unlinkd_program -# Specify the location of the executable for file deletion process. -# -#Default: -# unlinkd_program /usr/lib/squid/unlinkd - -# TAG: pinger_program -# Specify the location of the executable for the pinger process. -# -#Default: -# pinger_program /usr/lib/squid/pinger - -# TAG: redirect_program -# Specify the location of the executable for the URL redirector. -# Since they can perform almost any function there isn't one included. -# See the FAQ (section 15) for information on how to write one. -# By default, a redirector is not used. -# -#Default: -# none - -# TAG: redirect_children -# The number of redirector processes to spawn. If you start -# too few Squid will have to wait for them to process a backlog of -# URLs, slowing it down. If you start too many they will use RAM -# and other system resources. -# -#Default: -# redirect_children 5 - -# TAG: redirect_rewrites_host_header -# By default Squid rewrites any Host: header in redirected -# requests. If you are running an accelerator then this may -# not be a wanted effect of a redirector. -# -#Default: -# redirect_rewrites_host_header on - -# TAG: redirector_access -# If defined, this access list specifies which requests are -# sent to the redirector processes. By default all requests -# are sent. -# -#Default: -# none - -# TAG: auth_param -# This is used to define parameters for the various authentication -# schemes supported by Squid. -# -# format: auth_param scheme parameter [setting] -# -# The order that authentication schemes are presented to the client is -# dependant on the order the scheme first appears in config file. IE -# has a bug (it's not rfc 2617 compliant) in that it will use the basic -# scheme if basic is the first entry presented, even if more secure -# schemes are presented. For now use the order in the recommended -# settings section below. If other browsers have difficulties (don't -# recognise the schemes offered even if you are using basic) then either -# put basic first, or disable the other schemes (by commenting out their -# program entry). -# -# Once an authentication scheme is fully configured, it can only be -# shutdown by shutting squid down and restarting. Changes can be made on -# the fly and activated with a reconfigure. I.E. You can change to a -# different helper, but not unconfigure the helper completely. -# -# Please note that while this directive defines how Squid processes -# authentication it does not automatically activate authentication. -# To use authenticaiton you must in addition make use of acls based -# on login name in http_access (proxy_auth, proxy_auth_regex or -# external with %LOGIN used in the format tag). The browser will be -# challenged for authentication on the first such acl encountered -# in http_access processing and will also be rechallenged for new -# login credentials if the request is being denied by a proxy_auth -# type acl. -# -# === Parameters for the basic scheme follow. === -# -# "program" cmdline -# Specify the command for the external authenticator. Such a program -# reads a line containing "username password" and replies "OK" or -# "ERR" in an endless loop. -# -# By default, the basic authentication sheme is not used unless a -# program is specified. -# -# If you want to use the traditional proxy authentication, jump over to -# the helpers/basic_auth/NCSA directory and type: -# % make -# % make install -# -# Then, set this line to something like -# -# auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd -# -# "children" numberofchildren -# The number of authenticator processes to spawn. -# If you start too few Squid will have to wait for them to process a -# backlog of usercode/password verifications, slowing it down. When -# password verifications are done via a (slow) network you are likely to -# need lots of authenticator processes. -# auth_param basic children 5 -# -# "realm" realmstring -# Specifies the realm name which is to be reported to the client for -# the basic proxy authentication scheme (part of the text the user -# will see when prompted their username and password). -# auth_param basic realm Squid proxy-caching web server -# -# "credentialsttl" timetolive -# Specifies how long squid assumes an externally validated -# username:password pair is valid for - in other words how often the -# helper program is called for that user. Set this low to force -# revalidation with short lived passwords. Note that setting this high -# does not impact your susceptability to replay attacks unless you are -# using an one-time password system (such as SecureID). If you are using -# such a system, you will be vulnerable to replay attacks unless you -# also use the max_user_ip ACL in an http_access rule. -# auth_param basic credentialsttl 2 hours -# -# === Parameters for the digest scheme follow === -# -# "program" cmdline -# Specify the command for the external authenticator. Such a program -# reads a line containing "username":"realm" and replies with the -# appropriate H(A1) value base64 encoded. See rfc 2616 for the -# definition of H(A1). -# -# By default, the digest authentication scheme is not used unless a -# program is specified. -# -# If you want to use a digest authenticator, jump over to the -# helpers/digest_auth/ directory and choose the authenticator to use. -# It it's directory type -# % make -# % make install -# -# Then, set this line to something like -# -# auth_param digest program /usr/libexec/digest_auth_pw /usr/etc/digpass -# -# -# "children" numberofchildren -# The number of authenticator processes to spawn (no default). If you -# start too few Squid will have to wait for them to process a backlog of -# H(A1) calculations, slowing it down. When the H(A1) calculations are -# done via a (slow) network you are likely to need lots of authenticator -# processes. -# auth_param digest children 5 -# -# "realm" realmstring -# Specifies the realm name which is to be reported to the client for the -# digest proxy authentication scheme (part of the text the user will see -# when prompted their username and password). -# auth_param digest realm Squid proxy-caching web server -# -# "nonce_garbage_interval" timeinterval -# Specifies the interval that nonces that have been issued to clients are -# checked for validity. -# auth_param digest nonce_garbage_interval 5 minutes -# -# "nonce_max_duration" timeinterval -# Specifies the maximum length of time a given nonce will be valid for. -# auth_param digest nonce_max_duration 30 minutes -# -# "nonce_max_count" number -# Specifies the maximum number of times a given nonce can be used. -# auth_param digest nonce_max_count 50 -# -# "nonce_strictness" on|off -# Determines if squid requires strict increment-by-1 behaviour for nonce -# counts, or just incrementing (off - for use when useragents generate -# nonce counts that occasionally miss 1 (ie, 1,2,4,6)). -# auth_param digest nonce_strictness off -# -# "check_nonce_count" on|off -# This directive if set to off can disable the nonce count check -# completely to work around buggy digest qop implementations in certain -# mainstream browser versions. Default on to check the nonce count to -# protect from authentication replay attacks. -# auth_param digest check_nonce_count on -# -# "post_workaround" on|off -# This is a workaround to certain buggy browsers who sends an incorrect -# request digest in POST requests when reusing the same nonce as aquired -# earlier in response to a GET request. -# auth_param digest post_workaround off -# -# === NTLM scheme options follow === -# -# "program" cmdline -# Specify the command for the external ntlm authenticator. Such a -# program participates in the NTLMSSP exchanges between Squid and the -# client and reads commands according to the Squid ntlmssp helper -# protocol. See helpers/ntlm_auth/ for details. Recommended ntlm -# authenticator is ntlm_auth from Samba-3.X, but a number of other -# ntlm authenticators is available. -# -# By default, the ntlm authentication scheme is not used unless a -# program is specified. -# -# auth_param ntlm program /path/to/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -# -# "children" numberofchildren -# The number of authenticator processes to spawn (no default). If you -# start too few Squid will have to wait for them to process a backlog -# of credential verifications, slowing it down. When crendential -# verifications are done via a (slow) network you are likely to need -# lots of authenticator processes. -# auth_param ntlm children 5 -# -# "max_challenge_reuses" number -# The maximum number of times a challenge given by a ntlm authentication -# helper can be reused. Increasing this number increases your exposure -# to replay attacks on your network. 0 (the default) means use the -# challenge is used only once. See also the max_ntlm_challenge_lifetime -# directive if enabling challenge reuses. -# auth_param ntlm max_challenge_reuses 0 -# -# "max_challenge_lifetime" timespan -# The maximum time period that a ntlm challenge is reused over. The -# actual period will be the minimum of this time AND the number of -# reused challenges. -# auth_param ntlm max_challenge_lifetime 2 minutes -# -# "use_ntlm_negotiate" on|off -# Enables support for NTLM NEGOTIATE packet exchanges with the helper. -# The configured ntlm authenticator must be able to handle NTLM -# NEGOTIATE packet. See the authenticator programs documentation if -# unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this -# option. -# The NEGOTIATE packet is required to support NTLMv2 and a -# number of other negotiable NTLMSSP options, and also makes it -# more likely the negotiation is successful. Enabling this parameter -# will also solve problems encountered when NT domain policies -# restrict users to access only certain workstations. When this is off, -# all users must be allowed to log on the proxy servers too, or they'll -# get "invalid workstation" errors - and access denied - when trying to -# use Squid's services. -# Use of ntlm NEGOTIATE is incompatible with challenge reuse, so -# enabling this parameter will OVERRIDE the max_challenge_reuses and -# max_challenge_lifetime parameters and set them to 0. -# auth_param ntlm use_ntlm_negotiate off -# -#Recommended minimum configuration: -#auth_param digest program -#auth_param digest children 5 -#auth_param digest realm Squid proxy-caching web server -#auth_param digest nonce_garbage_interval 5 minutes -#auth_param digest nonce_max_duration 30 minutes -#auth_param digest nonce_max_count 50 -#auth_param ntlm program /usr/lib/squid/ntlm_auth IPH\\PDC -#auth_param ntlm children 5 -#auth_param ntlm max_challenge_reuses 0 -#auth_param ntlm max_challenge_lifetime 2 minutes -#auth_param ntlm use_ntlm_negotiate off -auth_param basic program /usr/lib/squid/squid_ldap_auth -b ou=People,dc=example,dc=com -f (&(uid=%s)(objectClass=gosaProxyAccount)) -auth_param basic children 5 -auth_param basic realm Squid proxy-caching web server -auth_param basic credentialsttl 2 hours - -# TAG: authenticate_cache_garbage_interval -# The time period between garbage collection across the username cache. -# This is a tradeoff between memory utilisation (long intervals - say -# 2 days) and CPU (short intervals - say 1 minute). Only change if you -# have good reason to. -# -#Default: -# authenticate_cache_garbage_interval 1 hour - -# TAG: authenticate_ttl -# The time a user & their credentials stay in the logged in user cache -# since their last request. When the garbage interval passes, all user -# credentials that have passed their TTL are removed from memory. -# -#Default: -# authenticate_ttl 1 hour - -# TAG: authenticate_ip_ttl -# If you use proxy authentication and the 'max_user_ip' ACL, this -# directive controls how long Squid remembers the IP addresses -# associated with each user. Use a small value (e.g., 60 seconds) if -# your users might change addresses quickly, as is the case with -# dialups. You might be safe using a larger value (e.g., 2 hours) in a -# corporate LAN environment with relatively static address assignments. -# -#Default: -# authenticate_ip_ttl 0 seconds - -# TAG: external_acl_type -# This option defines external acl classes using a helper program to -# look up the status -# -# external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] -# -# Options: -# -# ttl=n TTL in seconds for cached results (defaults to 3600 -# for 1 hour) -# negative_ttl=n -# TTL for cached negative lookups (default same -# as ttl) -# children=n Concurrency level / number of processes spawn -# to service external acl lookups of this type. -# Note: see compatibility note below -# cache=n result cache size, 0 is unbounded (default) -# -# FORMAT specifications -# -# %LOGIN Authenticated user login name -# %IDENT Ident user name -# %SRC Client IP -# %DST Requested host -# %PROTO Requested protocol -# %PORT Requested port -# %METHOD Request method -# %{Header} HTTP request header -# %{Hdr:member} HTTP request header list member -# %{Hdr:;member} -# HTTP request header list member using ; as -# list separator. ; can be any non-alphanumeric -# character. -# -# In addition, any string specified in the referencing acl will -# also be included in the helper request line, after the specified -# formats (see the "acl external" directive) -# -# The helper receives lines per the above format specification, -# and returns lines starting with OK or ERR indicating the validity -# of the request and optionally followed by additional keywords with -# more details. -# -# General result syntax: -# -# OK/ERR keyword=value ... -# -# Defined keywords: -# -# user= The users name (login) -# error= Error description (only defined for ERR results) -# -# Keyword values need to be enclosed in quotes if they may contain -# whitespace, or the whitespace escaped using \. Any quotes or \ -# characters within the keyword value must be \ escaped. -# -# Compatibility Note: The children= option was named concurrency= in -# Squid-2.5.STABLE3 and earlier and such syntax is still accepted to -# keep compatibility within the Squid-2.5 release. However, the meaning -# of concurrency= option has changed in Squid-3 and the old syntax of -# the directive is therefore depreated from Squid-2.5.STABLE4 and later. -# If you want to be able to easily downgrade to earlier Squid-2.5 -# releases then you may want to continue using the old name, if not -# please use the new name. -# -#Default: -# none - - -# OPTIONS FOR TUNING THE CACHE -# ----------------------------------------------------------------------------- - -# TAG: wais_relay_host -# TAG: wais_relay_port -# Relay WAIS request to host (1st arg) at port (2 arg). -# -#Default: -# wais_relay_port 0 - -# TAG: request_header_max_size (KB) -# This specifies the maximum size for HTTP headers in a request. -# Request headers are usually relatively small (about 512 bytes). -# Placing a limit on the request header size will catch certain -# bugs (for example with persistent connections) and possibly -# buffer-overflow or denial-of-service attacks. -# -#Default: -# request_header_max_size 10 KB - -# TAG: request_body_max_size (KB) -# This specifies the maximum size for an HTTP request body. -# In other words, the maximum size of a PUT/POST request. -# A user who attempts to send a request with a body larger -# than this limit receives an "Invalid Request" error message. -# If you set this parameter to a zero (the default), there will -# be no limit imposed. -# -#Default: -# request_body_max_size 0 KB - -# TAG: refresh_pattern -# usage: refresh_pattern [-i] regex min percent max [options] -# -# By default, regular expressions are CASE-SENSITIVE. To make -# them case-insensitive, use the -i option. -# -# 'Min' is the time (in minutes) an object without an explicit -# expiry time should be considered fresh. The recommended -# value is 0, any higher values may cause dynamic applications -# to be erroneously cached unless the application designer -# has taken the appropriate actions. -# -# 'Percent' is a percentage of the objects age (time since last -# modification age) an object without explicit expiry time -# will be considered fresh. -# -# 'Max' is an upper limit on how long objects without an explicit -# expiry time will be considered fresh. -# -# options: override-expire -# override-lastmod -# reload-into-ims -# ignore-reload -# -# override-expire enforces min age even if the server -# sent a Expires: header. Doing this VIOLATES the HTTP -# standard. Enabling this feature could make you liable -# for problems which it causes. -# -# override-lastmod enforces min age even on objects -# that was modified recently. -# -# reload-into-ims changes client no-cache or ``reload'' -# to If-Modified-Since requests. Doing this VIOLATES the -# HTTP standard. Enabling this feature could make you -# liable for problems which it causes. -# -# ignore-reload ignores a client no-cache or ``reload'' -# header. Doing this VIOLATES the HTTP standard. Enabling -# this feature could make you liable for problems which -# it causes. -# -# Basically a cached object is: -# -# FRESH if expires < now, else STALE -# STALE if age > max -# FRESH if lm-factor < percent, else STALE -# FRESH if age < min -# else STALE -# -# The refresh_pattern lines are checked in the order listed here. -# The first entry which matches is used. If none of the entries -# match, then the default will be used. -# -# Note, you must uncomment all the default lines if you want -# to change one. The default setting is only active if none is -# used. -# -#Suggested default: -refresh_pattern ^ftp: 1440 20% 10080 -refresh_pattern ^gopher: 1440 0% 1440 -refresh_pattern . 0 20% 4320 - -# TAG: quick_abort_min (KB) -# TAG: quick_abort_max (KB) -# TAG: quick_abort_pct (percent) -# The cache by default continues downloading aborted requests -# which are almost completed (less than 16 KB remaining). This -# may be undesirable on slow (e.g. SLIP) links and/or very busy -# caches. Impatient users may tie up file descriptors and -# bandwidth by repeatedly requesting and immediately aborting -# downloads. -# -# When the user aborts a request, Squid will check the -# quick_abort values to the amount of data transfered until -# then. -# -# If the transfer has less than 'quick_abort_min' KB remaining, -# it will finish the retrieval. -# -# If the transfer has more than 'quick_abort_max' KB remaining, -# it will abort the retrieval. -# -# If more than 'quick_abort_pct' of the transfer has completed, -# it will finish the retrieval. -# -# If you do not want any retrieval to continue after the client -# has aborted, set both 'quick_abort_min' and 'quick_abort_max' -# to '0 KB'. -# -# If you want retrievals to always continue if they are being -# cached then set 'quick_abort_min' to '-1 KB'. -# -#Default: -# quick_abort_min 16 KB -# quick_abort_max 16 KB -# quick_abort_pct 95 - -# TAG: negative_ttl time-units -# Time-to-Live (TTL) for failed requests. Certain types of -# failures (such as "connection refused" and "404 Not Found") are -# negatively-cached for a configurable amount of time. The -# default is 5 minutes. Note that this is different from -# negative caching of DNS lookups. -# -#Default: -# negative_ttl 5 minutes - -# TAG: positive_dns_ttl time-units -# Upper limit on how long Squid will cache positive DNS responses. -# Default is 6 hours (360 minutes). This directive must be set -# larger than negative_dns_ttl. -# -#Default: -# positive_dns_ttl 6 hours - -# TAG: negative_dns_ttl time-units -# Time-to-Live (TTL) for negative caching of failed DNS lookups. -# This also makes sets the lower cache limit on positive lookups. -# Minimum value is 1 second, and it is not recommendable to go -# much below 10 seconds. -# -#Default: -# negative_dns_ttl 1 minute - -# TAG: range_offset_limit (bytes) -# Sets a upper limit on how far into the the file a Range request -# may be to cause Squid to prefetch the whole file. If beyond this -# limit then Squid forwards the Range request as it is and the result -# is NOT cached. -# -# This is to stop a far ahead range request (lets say start at 17MB) -# from making Squid fetch the whole object up to that point before -# sending anything to the client. -# -# A value of -1 causes Squid to always fetch the object from the -# beginning so that it may cache the result. (2.0 style) -# -# A value of 0 causes Squid to never fetch more than the -# client requested. (default) -# -#Default: -# range_offset_limit 0 KB - - -# TIMEOUTS -# ----------------------------------------------------------------------------- - -# TAG: forward_timeout time-units -# This parameter specifies how long Squid should at most attempt in -# finding a forwarding path for the request before giving up. -# -#Default: -# forward_timeout 4 minutes - -# TAG: connect_timeout time-units -# This parameter specifies how long to wait for the TCP connect to -# the requested server or peer to complete before Squid should -# attempt to find another path where to forward the request. -# -#Default: -# connect_timeout 1 minute - -# TAG: peer_connect_timeout time-units -# This parameter specifies how long to wait for a pending TCP -# connection to a peer cache. The default is 30 seconds. You -# may also set different timeout values for individual neighbors -# with the 'connect-timeout' option on a 'cache_peer' line. -# -#Default: -# peer_connect_timeout 30 seconds - -# TAG: read_timeout time-units -# The read_timeout is applied on server-side connections. After -# each successful read(), the timeout will be extended by this -# amount. If no data is read again after this amount of time, -# the request is aborted and logged with ERR_READ_TIMEOUT. The -# default is 15 minutes. -# -#Default: -# read_timeout 15 minutes - -# TAG: request_timeout -# How long to wait for an HTTP request after initial -# connection establishment. -# -#Default: -# request_timeout 5 minutes - -# TAG: persistent_request_timeout -# How long to wait for the next HTTP request on a persistent -# connection after the previous request completes. -# -#Default: -# persistent_request_timeout 1 minute - -# TAG: client_lifetime time-units -# The maximum amount of time that a client (browser) is allowed to -# remain connected to the cache process. This protects the Cache -# from having a lot of sockets (and hence file descriptors) tied up -# in a CLOSE_WAIT state from remote clients that go away without -# properly shutting down (either because of a network failure or -# because of a poor client implementation). The default is one -# day, 1440 minutes. -# -# NOTE: The default value is intended to be much larger than any -# client would ever need to be connected to your cache. You -# should probably change client_lifetime only as a last resort. -# If you seem to have many client connections tying up -# filedescriptors, we recommend first tuning the read_timeout, -# request_timeout, persistent_request_timeout and quick_abort values. -# -#Default: -# client_lifetime 1 day - -# TAG: half_closed_clients -# Some clients may shutdown the sending side of their TCP -# connections, while leaving their receiving sides open. Sometimes, -# Squid can not tell the difference between a half-closed and a -# fully-closed TCP connection. By default, half-closed client -# connections are kept open until a read(2) or write(2) on the -# socket returns an error. Change this option to 'off' and Squid -# will immediately close client connections when read(2) returns -# "no more data to read." -# -#Default: -# half_closed_clients on - -# TAG: pconn_timeout -# Timeout for idle persistent connections to servers and other -# proxies. -# -#Default: -# pconn_timeout 120 seconds - -# TAG: ident_timeout -# Maximum time to wait for IDENT lookups to complete. -# -# If this is too high, and you enabled IDENT lookups from untrusted -# users, then you might be susceptible to denial-of-service by having -# many ident requests going at once. -# -#Default: -# ident_timeout 10 seconds - -# TAG: shutdown_lifetime time-units -# When SIGTERM or SIGHUP is received, the cache is put into -# "shutdown pending" mode until all active sockets are closed. -# This value is the lifetime to set for all open descriptors -# during shutdown mode. Any active clients after this many -# seconds will receive a 'timeout' message. -# -#Default: -# shutdown_lifetime 30 seconds - - -# ACCESS CONTROLS -# ----------------------------------------------------------------------------- - -# TAG: acl -# Defining an Access List -# -# acl aclname acltype string1 ... -# acl aclname acltype "file" ... -# -# when using "file", the file should contain one item per line -# -# acltype is one of the types described below -# -# By default, regular expressions are CASE-SENSITIVE. To make -# them case-insensitive, use the -i option. -# -# acl aclname src ip-address/netmask ... (clients IP address) -# acl aclname src addr1-addr2/netmask ... (range of addresses) -# acl aclname dst ip-address/netmask ... (URL host's IP address) -# acl aclname myip ip-address/netmask ... (local socket IP address) -# -# acl aclname srcdomain .foo.com ... # reverse lookup, client IP -# acl aclname dstdomain .foo.com ... # Destination server from URL -# acl aclname srcdom_regex [-i] xxx ... # regex matching client name -# acl aclname dstdom_regex [-i] xxx ... # regex matching server -# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP -# # based URL is used. The name "none" is used if the reverse lookup -# # fails. -# -# acl aclname time [day-abbrevs] [h1:m1-h2:m2] -# day-abbrevs: -# S - Sunday -# M - Monday -# T - Tuesday -# W - Wednesday -# H - Thursday -# F - Friday -# A - Saturday -# h1:m1 must be less than h2:m2 -# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL -# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path -# acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field -# acl aclname port 80 70 21 ... -# acl aclname port 0-1024 ... # ranges allowed -# acl aclname myport 3128 ... # (local socket TCP port) -# acl aclname proto HTTP FTP ... -# acl aclname method GET POST ... -# acl aclname browser [-i] regexp ... -# # pattern match on User-Agent header -# acl aclname referer_regex [-i] regexp ... -# # pattern match on Referer header -# # Referer is highly unreliable, so use with care -# acl aclname ident username ... -# acl aclname ident_regex [-i] pattern ... -# # string match on ident output. -# # use REQUIRED to accept any non-null ident. -# acl aclname src_as number ... -# acl aclname dst_as number ... -# # Except for access control, AS numbers can be used for -# # routing of requests to specific caches. Here's an -# # example for routing all requests for AS#1241 and only -# # those to mycache.mydomain.net: -# # acl asexample dst_as 1241 -# # cache_peer_access mycache.mydomain.net allow asexample -# # cache_peer_access mycache_mydomain.net deny all -# -# acl aclname proxy_auth username ... -# acl aclname proxy_auth_regex [-i] pattern ... -# # list of valid usernames -# # use REQUIRED to accept any valid username. -# # -# # NOTE: when a Proxy-Authentication header is sent but it is not -# # needed during ACL checking the username is NOT logged -# # in access.log. -# # -# # NOTE: proxy_auth requires a EXTERNAL authentication program -# # to check username/password combinations (see -# # auth_param directive). -# # -# # WARNING: proxy_auth can't be used in a transparent proxy. It -# # collides with any authentication done by origin servers. It may -# # seem like it works at first, but it doesn't. -# -# acl aclname snmp_community string ... -# # A community string to limit access to your SNMP Agent -# # Example: -# # -# # acl snmppublic snmp_community public -# -# acl aclname maxconn number -# # This will be matched when the client's IP address has -# # more than HTTP connections established. -# -# acl aclname max_user_ip [-s] number -# # This will be matched when the user attempts to log in from more -# # than different ip addresses. The authenticate_ip_ttl -# # parameter controls the timeout on the ip entries. -# # If -s is specified then the limit is strict, denying browsing -# # from any further IP addresses until the ttl has expired. Without -# # -s Squid will just annoy the user by "randomly" denying requests. -# # (the counter is then reset each time the limit is reached and a -# # request is denied) -# # NOTE: in acceleration mode or where there is mesh of child proxies, -# # clients may appear to come from multiple addresses if they are -# # going through proxy farms, so a limit of 1 may cause user problems. -# -# acl aclname req_mime_type mime-type1 ... -# # regex match agains the mime type of the request generated -# # by the client. Can be used to detect file upload or some -# # types HTTP tunelling requests. -# # NOTE: This does NOT match the reply. You cannot use this -# # to match the returned file type. -# -# acl aclname rep_mime_type mime-type1 ... -# # regex match against the mime type of the reply recieved by -# # squid. Can be used to detect file download or some -# # types HTTP tunelling requests. -# # NOTE: This has no effect in http_access rules. It only has -# # effect in rules that affect the reply data stream such as -# # http_reply_access. -# -# acl acl_name external class_name [arguments...] -# # external ACL lookup via a helper class defined by the -# # external_acl_type directive. -# -#Examples: -#acl myexample dst_as 1241 -#acl password proxy_auth REQUIRED -#acl fileupload req_mime_type -i ^multipart/form-data$ -#acl javascript rep_mime_type -i ^application/x-javascript$ -# -#Recommended minimum configuration: -acl all src 0.0.0.0/0.0.0.0 -acl manager proto cache_object -acl localhost src 127.0.0.1/255.255.255.255 -acl to_localhost dst 127.0.0.0/8 -acl SSL_ports port 443 563 -acl Jabber_ports port 5222 -acl Safe_ports port 80 # http -acl Safe_ports port 21 # ftp -acl Safe_ports port 443 563 # https, snews -acl Safe_ports port 70 # gopher -acl Safe_ports port 210 # wais -acl Safe_ports port 1025-65535 # unregistered ports -acl Safe_ports port 280 # http-mgmt -acl Safe_ports port 488 # gss-http -acl Safe_ports port 591 # filemaker -acl Safe_ports port 777 # multiling http -acl CONNECT method CONNECT - -# TAG: http_access -# Allowing or Denying access based on defined access lists -# -# Access to the HTTP port: -# http_access allow|deny [!]aclname ... -# -# NOTE on default values: -# -# If there are no "access" lines present, the default is to deny -# the request. -# -# If none of the "access" lines cause a match, the default is the -# opposite of the last line in the list. If the last line was -# deny, then the default is allow. Conversely, if the last line -# is allow, the default will be deny. For these reasons, it is a -# good idea to have an "deny all" or "allow all" entry at the end -# of your access lists to avoid potential confusion. -# -#Default: -# http_access deny all -# -#Recommended minimum configuration: -# -# Only allow cachemgr access from localhost -http_access allow manager localhost -http_access deny manager -# Deny requests to unknown ports -http_access deny !Safe_ports -# Deny CONNECT to other than SSL ports -http_access deny CONNECT !SSL_ports !Jabber_ports -# -# We strongly recommend to uncomment the following to protect innocent -# web applications running on the proxy server who think that the only -# one who can access services on "localhost" is a local user -#http_access deny to_localhost -# -# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS - -# Example rule allowing access from your local networks. Adapt -# to list your (internal) IP networks from where browsing should -# be allowed -acl password proxy_auth REQUIRED - -http_access allow password - - -# And finally deny all other access to this proxy -http_access allow localhost -http_access deny all - -# TAG: http_reply_access -# Allow replies to client requests. This is complementary to http_access. -# -# http_reply_access allow|deny [!] aclname ... -# -# NOTE: if there are no access lines present, the default is to allow -# all replies -# -# If none of the access lines cause a match, then the opposite of the -# last line will apply. Thus it is good practice to end the rules -# with an "allow all" or "deny all" entry. -# -#Default: -# http_reply_access allow all -# -#Recommended minimum configuration: -# -# Insert your own rules here. -# -# -# and finally allow by default -http_reply_access allow all - -# TAG: icp_access -# Allowing or Denying access to the ICP port based on defined -# access lists -# -# icp_access allow|deny [!]aclname ... -# -# See http_access for details -# -#Default: -# icp_access deny all -# -#Allow ICP queries from everyone -#icp_access allow all - -# TAG: miss_access -# Use to force your neighbors to use you as a sibling instead of -# a parent. For example: -# -# acl localclients src 172.16.0.0/16 -# miss_access allow localclients -# miss_access deny !localclients -# -# This means that only your local clients are allowed to fetch -# MISSES and all other clients can only fetch HITS. -# -# By default, allow all clients who passed the http_access rules -# to fetch MISSES from us. -# -#Default setting: -# miss_access allow all - -# TAG: cache_peer_access -# Similar to 'cache_peer_domain' but provides more flexibility by -# using ACL elements. -# -# cache_peer_access cache-host allow|deny [!]aclname ... -# -# The syntax is identical to 'http_access' and the other lists of -# ACL elements. See the comments for 'http_access' below, or -# the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html). -# -#Default: -# none - -# TAG: ident_lookup_access -# A list of ACL elements which, if matched, cause an ident -# (RFC 931) lookup to be performed for this request. For -# example, you might choose to always perform ident lookups -# for your main multi-user Unix boxes, but not for your Macs -# and PCs. By default, ident lookups are not performed for -# any requests. -# -# To enable ident lookups for specific client addresses, you -# can follow this example: -# -# acl ident_aware_hosts src 198.168.1.0/255.255.255.0 -# ident_lookup_access allow ident_aware_hosts -# ident_lookup_access deny all -# -# Only src type ACL checks are fully supported. A src_domain -# ACL might work at times, but it will not always provide -# the correct result. -# -#Default: -# ident_lookup_access deny all - -# TAG: tcp_outgoing_tos -# Allows you to select a TOS/Diffserv value to mark outgoing -# connections with, based on the username or source address -# making the request. -# -# tcp_outgoing_tos ds-field [!]aclname ... -# -# Example where normal_service_net uses the TOS value 0x00 -# and normal_service_net uses 0x20 -# -# acl normal_service_net src 10.0.0.0/255.255.255.0 -# acl good_service_net src 10.0.1.0/255.255.255.0 -# tcp_outgoing_tos 0x00 normal_service_net 0x00 -# tcp_outgoing_tos 0x20 good_service_net -# -# TOS/DSCP values really only have local significance - so you should -# know what you're specifying. For more, see RFC 2474 -# -# The TOS/DSCP byte must be exactly that - a byte, value 0 - 255, or -# "default" to use whatever default your host has. -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -#Default: -# none - -# TAG: tcp_outgoing_address -# Allows you to map requests to different outgoing IP addresses -# based on the username or sourceaddress of the user making -# the request. -# -# tcp_outgoing_address ipaddr [[!]aclname] ... -# -# Example where requests from 10.0.0.0/24 will be forwareded -# with source address 10.1.0.1, 10.0.2.0/24 forwarded with -# source address 10.1.0.2 and the rest will be forwarded with -# source address 10.1.0.3. -# -# acl normal_service_net src 10.0.0.0/255.255.255.0 -# acl good_service_net src 10.0.1.0/255.255.255.0 -# tcp_outgoing_address 10.0.0.1 normal_service_net -# tcp_outgoing_address 10.0.0.2 good_service_net -# tcp_outgoing_address 10.0.0.3 -# -# Processing proceeds in the order specified, and stops at first fully -# matching line. -# -#Default: -# none - -# TAG: reply_body_max_size bytes allow|deny acl acl... -# This option specifies the maximum size of a reply body in bytes. -# It can be used to prevent users from downloading very large files, -# such as MP3's and movies. When the reply headers are recieved, -# the reply_body_max_size lines are processed, and the first line with -# a result of "allow" is used as the maximum body size for this reply. -# This size is then checked twice. First when we get the reply headers, -# we check the content-length value. If the content length value exists -# and is larger than the allowed size, the request is denied and the -# user receives an error message that says "the request or reply -# is too large." If there is no content-length, and the reply -# size exceeds this limit, the client's connection is just closed -# and they will receive a partial reply. -# -# WARNING: downstream caches probably can not detect a partial reply -# if there is no content-length header, so they will cache -# partial responses and give them out as hits. You should NOT -# use this option if you have downstream caches. -# -# If you set this parameter to zero (the default), there will be -# no limit imposed. -# -#Default: -# reply_body_max_size 0 allow all - - -# ADMINISTRATIVE PARAMETERS -# ----------------------------------------------------------------------------- - -# TAG: cache_mgr -# Email-address of local cache manager who will receive -# mail if the cache dies. The default is "webmaster." -# -#Default: -# cache_mgr webmaster - -# TAG: cache_effective_user -# TAG: cache_effective_group -# -# If you start Squid as root, it will change its effective/real -# UID/GID to the UID/GID specified below. The default is to -# change to UID to nobody. If you define cache_effective_user, -# but not cache_effective_group, Squid sets the GID the -# effective user's default group ID (taken from the password -# file). -# -# If Squid is not started as root, the cache_effective_user -# value is ignored and the GID value is unchanged by default. -# However, you can make Squid change its GID to another group -# that the process owner is a member of. Note that if Squid -# is not started as root then you cannot set http_port to a -# value lower than 1024. -# -#Default: -# cache_effective_user squid -# cache_effective_group squid - -# TAG: visible_hostname -# If you want to present a special hostname in error messages, etc, -# then define this. Otherwise, the return value of gethostname() -# will be used. If you have multiple caches in a cluster and -# get errors about IP-forwarding you must set them to have individual -# names with this setting. -# -#Default: -# none - -# TAG: unique_hostname -# If you want to have multiple machines with the same -# 'visible_hostname' then you must give each machine a different -# 'unique_hostname' so that forwarding loops can be detected. -# -#Default: -# none - -# TAG: hostname_aliases -# A list of other DNS names that your cache has. -# -#Default: -# none - - -# OPTIONS FOR THE CACHE REGISTRATION SERVICE -# ----------------------------------------------------------------------------- -# -# This section contains parameters for the (optional) cache -# announcement service. This service is provided to help -# cache administrators locate one another in order to join or -# create cache hierarchies. -# -# An 'announcement' message is sent (via UDP) to the registration -# service by Squid. By default, the announcement message is NOT -# SENT unless you enable it with 'announce_period' below. -# -# The announcement message includes your hostname, plus the -# following information from this configuration file: -# -# http_port -# icp_port -# cache_mgr -# -# All current information is processed regularly and made -# available on the Web at http://www.ircache.net/Cache/Tracker/. - -# TAG: announce_period -# This is how frequently to send cache announcements. The -# default is `0' which disables sending the announcement -# messages. -# -# To enable announcing your cache, just uncomment the line -# below. -# -#Default: -# announce_period 0 -# -#To enable announcing your cache, just uncomment the line below. -#announce_period 1 day - -# TAG: announce_host -# TAG: announce_file -# TAG: announce_port -# announce_host and announce_port set the hostname and port -# number where the registration message will be sent. -# -# Hostname will default to 'tracker.ircache.net' and port will -# default default to 3131. If the 'filename' argument is given, -# the contents of that file will be included in the announce -# message. -# -#Default: -# announce_host tracker.ircache.net -# announce_port 3131 - - -# HTTPD-ACCELERATOR OPTIONS -# ----------------------------------------------------------------------------- - -# TAG: httpd_accel_host -# TAG: httpd_accel_port -# If you want to run Squid as an httpd accelerator, define the -# host name and port number where the real HTTP server is. -# -# If you want IP based virtual host support then specify the -# hostname as "virtual". This will make Squid use the IP address -# where it accepted the request as hostname in the URL. -# -# If you want virtual port support then specify the port as "0". -# -# NOTE: enabling httpd_accel_host disables proxy-caching and -# ICP. If you want these features enabled also, then set -# the 'httpd_accel_with_proxy' option. -# -#Default: -# httpd_accel_port 80 - -# TAG: httpd_accel_single_host on|off -# If you are running Squid as an accelerator and have a single backend -# server then set this to on. This causes Squid to forward the request -# to this server irregardles of what any redirectors or Host headers -# says. -# -# Leave this at off if you have multiple backend servers, and use a -# redirector (or host table or private DNS) to map the requests to the -# appropriate backend servers. Note that the mapping needs to be a -# 1-1 mapping between requested and backend (from redirector) domain -# names or caching will fail, as cacing is performed using the -# URL returned from the redirector. -# -# See also redirect_rewrites_host_header. -# -#Default: -# httpd_accel_single_host off - -# TAG: httpd_accel_with_proxy on|off -# If you want to use Squid as both a local httpd accelerator -# and as a proxy, change this to 'on'. Note however that your -# proxy users may have trouble to reach the accelerated domains -# unless their browsers are configured not to use this proxy for -# those domains (for example via the no_proxy browser configuration -# setting) -# -#Default: -# httpd_accel_with_proxy off - -# TAG: httpd_accel_uses_host_header on|off -# HTTP/1.1 requests include a Host: header which is basically the -# hostname from the URL. The Host: header is used for domain based -# virutal hosts. If your accelerator needs to provide domain based -# virtual hosts on the same IP address then you will need to turn this -# on. -# -# Note that Squid does NOT check the value of the Host header matches -# any of your accelerated server, so it may open a big security hole -# unless you take care to set up access controls proper. We recommend -# that this option remain disabled unless you are sure of what you -# are doing. -# -# However, you will need to enable this option if you run Squid -# as a transparent proxy. Otherwise, virtual servers which -# require the Host: header will not be properly cached. -# -#Default: -# httpd_accel_uses_host_header off - - -# MISCELLANEOUS -# ----------------------------------------------------------------------------- - -# TAG: dns_testnames -# The DNS tests exit as soon as the first site is successfully looked up -# -# This test can be disabled with the -D command line option. -# -#Default: -# dns_testnames netscape.com internic.net nlanr.net microsoft.com - -# TAG: logfile_rotate -# Specifies the number of logfile rotations to make when you -# type 'squid -k rotate'. The default is 10, which will rotate -# with extensions 0 through 9. Setting logfile_rotate to 0 will -# disable the rotation, but the logfiles are still closed and -# re-opened. This will enable you to rename the logfiles -# yourself just before sending the rotate signal. -# -# Note, the 'squid -k rotate' command normally sends a USR1 -# signal to the running squid process. In certain situations -# (e.g. on Linux with Async I/O), USR1 is used for other -# purposes, so -k rotate uses another signal. It is best to get -# in the habit of using 'squid -k rotate' instead of 'kill -USR1 -# '. -# -#Default: -# logfile_rotate 0 - -# TAG: append_domain -# Appends local domain name to hostnames without any dots in -# them. append_domain must begin with a period. -# -# Be warned that there today is Internet names with no dots in -# them using only top-domain names, so setting this may -# cause some Internet sites to become unavailable. -# -#Example: -# append_domain .yourdomain.com -# -#Default: -# none - -# TAG: tcp_recv_bufsize (bytes) -# Size of receive buffer to set for TCP sockets. Probably just -# as easy to change your kernel's default. Set to zero to use -# the default buffer size. -# -#Default: -# tcp_recv_bufsize 0 bytes - -# TAG: err_html_text -# HTML text to include in error messages. Make this a "mailto" -# URL to your admin address, or maybe just a link to your -# organizations Web page. -# -# To include this in your error messages, you must rewrite -# the error template files (found in the "errors" directory). -# Wherever you want the 'err_html_text' line to appear, -# insert a %L tag in the error template file. -# -#Default: -# none - -# TAG: deny_info -# Usage: deny_info err_page_name acl -# or deny_info http://... acl -# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys -# -# This can be used to return a ERR_ page for requests which -# do not pass the 'http_access' rules. A single ACL will cause -# the http_access check to fail. If a 'deny_info' line exists -# for that ACL then Squid returns a corresponding error page. -# -# You may use ERR_ pages that come with Squid or create your own pages -# and put them into the configured errors/ directory. -# -# Alternatively you can specify an error URL. The browsers will then -# get redirected (302) to the specified URL. %s in the redirection -# URL will be replaced by the requested URL. -# -# Alternatively you can tell Squid to reset the TCP connection -# by specifying TCP_RESET. -# -#Default: -# none - -# TAG: memory_pools on|off -# If set, Squid will keep pools of allocated (but unused) memory -# available for future use. If memory is a premium on your -# system and you believe your malloc library outperforms Squid -# routines, disable this. -# -#Default: -# memory_pools on - -# TAG: memory_pools_limit (bytes) -# Used only with memory_pools on: -# memory_pools_limit 50 MB -# -# If set to a non-zero value, Squid will keep at most the specified -# limit of allocated (but unused) memory in memory pools. All free() -# requests that exceed this limit will be handled by your malloc -# library. Squid does not pre-allocate any memory, just safe-keeps -# objects that otherwise would be free()d. Thus, it is safe to set -# memory_pools_limit to a reasonably high value even if your -# configuration will use less memory. -# -# If not set (default) or set to zero, Squid will keep all memory it -# can. That is, there will be no limit on the total amount of memory -# used for safe-keeping. -# -# To disable memory allocation optimization, do not set -# memory_pools_limit to 0. Set memory_pools to "off" instead. -# -# An overhead for maintaining memory pools is not taken into account -# when the limit is checked. This overhead is close to four bytes per -# object kept. However, pools may actually _save_ memory because of -# reduced memory thrashing in your malloc library. -# -#Default: -# none - -# TAG: forwarded_for on|off -# If set, Squid will include your system's IP address or name -# in the HTTP requests it forwards. By default it looks like -# this: -# -# X-Forwarded-For: 192.1.2.3 -# -# If you disable this, it will appear as -# -# X-Forwarded-For: unknown -# -#Default: -# forwarded_for on - -# TAG: log_icp_queries on|off -# If set, ICP queries are logged to access.log. You may wish -# do disable this if your ICP load is VERY high to speed things -# up or to simplify log analysis. -# -#Default: -# log_icp_queries on - -# TAG: icp_hit_stale on|off -# If you want to return ICP_HIT for stale cache objects, set this -# option to 'on'. If you have sibling relationships with caches -# in other administrative domains, this should be 'off'. If you only -# have sibling relationships with caches under your control, then -# it is probably okay to set this to 'on'. -# If set to 'on', then your siblings should use the option "allow-miss" -# on their cache_peer lines for connecting to you. -# -#Default: -# icp_hit_stale off - -# TAG: minimum_direct_hops -# If using the ICMP pinging stuff, do direct fetches for sites -# which are no more than this many hops away. -# -#Default: -# minimum_direct_hops 4 - -# TAG: minimum_direct_rtt -# If using the ICMP pinging stuff, do direct fetches for sites -# which are no more than this many rtt milliseconds away. -# -#Default: -# minimum_direct_rtt 400 - -# TAG: cachemgr_passwd -# Specify passwords for cachemgr operations. -# -# Usage: cachemgr_passwd password action action ... -# -# Some valid actions are (see cache manager menu for a full list): -# 5min -# 60min -# asndb -# authenticator -# cbdata -# client_list -# comm_incoming -# config * -# counters -# delay -# digest_stats -# dns -# events -# filedescriptors -# fqdncache -# histograms -# http_headers -# info -# io -# ipcache -# mem -# menu -# netdb -# non_peers -# objects -# offline_toggle * -# pconn -# peer_select -# redirector -# refresh -# server_list -# shutdown * -# store_digest -# storedir -# utilization -# via_headers -# vm_objects -# -# * Indicates actions which will not be performed without a -# valid password, others can be performed if not listed here. -# -# To disable an action, set the password to "disable". -# To allow performing an action without a password, set the -# password to "none". -# -# Use the keyword "all" to set the same password for all actions. -# -#Example: -# cachemgr_passwd secret shutdown -# cachemgr_passwd lesssssssecret info stats/objects -# cachemgr_passwd disable all -# -#Default: -# none - -# TAG: store_avg_object_size (kbytes) -# Average object size, used to estimate number of objects your -# cache can hold. See doc/Release-Notes-1.1.txt. The default is -# 13 KB. -# -#Default: -# store_avg_object_size 13 KB - -# TAG: store_objects_per_bucket -# Target number of objects per bucket in the store hash table. -# Lowering this value increases the total number of buckets and -# also the storage maintenance rate. The default is 50. -# -#Default: -# store_objects_per_bucket 20 - -# TAG: client_db on|off -# If you want to disable collecting per-client statistics, then -# turn off client_db here. -# -#Default: -# client_db on - -# TAG: netdb_low -# TAG: netdb_high -# The low and high water marks for the ICMP measurement -# database. These are counts, not percents. The defaults are -# 900 and 1000. When the high water mark is reached, database -# entries will be deleted until the low mark is reached. -# -#Default: -# netdb_low 900 -# netdb_high 1000 - -# TAG: netdb_ping_period -# The minimum period for measuring a site. There will be at -# least this much delay between successive pings to the same -# network. The default is five minutes. -# -#Default: -# netdb_ping_period 5 minutes - -# TAG: query_icmp on|off -# If you want to ask your peers to include ICMP data in their ICP -# replies, enable this option. -# -# If your peer has configured Squid (during compilation) with -# '--enable-icmp' then that peer will send ICMP pings to origin server -# sites of the URLs it receives. If you enable this option then the -# ICP replies from that peer will include the ICMP data (if available). -# Then, when choosing a parent cache, Squid will choose the parent with -# the minimal RTT to the origin server. When this happens, the -# hierarchy field of the access.log will be -# "CLOSEST_PARENT_MISS". This option is off by default. -# -#Default: -# query_icmp off - -# TAG: test_reachability on|off -# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH -# instead of ICP_MISS if the target host is NOT in the ICMP -# database, or has a zero RTT. -# -#Default: -# test_reachability off - -# TAG: buffered_logs on|off -# cache.log log file is written with stdio functions, and as such -# it can be buffered or unbuffered. By default it will be unbuffered. -# Buffering it can speed up the writing slightly (though you are -# unlikely to need to worry unless you run with tons of debugging -# enabled in which case performance will suffer badly anyway..). -# -#Default: -# buffered_logs off - -# TAG: reload_into_ims on|off -# When you enable this option, client no-cache or ``reload'' -# requests will be changed to If-Modified-Since requests. -# Doing this VIOLATES the HTTP standard. Enabling this -# feature could make you liable for problems which it -# causes. -# -# see also refresh_pattern for a more selective approach. -# -#Default: -# reload_into_ims off - -# TAG: always_direct -# Usage: always_direct allow|deny [!]aclname ... -# -# Here you can use ACL elements to specify requests which should -# ALWAYS be forwarded directly to origin servers. For example, -# to always directly forward requests for local servers use -# something like: -# -# acl local-servers dstdomain my.domain.net -# always_direct allow local-servers -# -# To always forward FTP requests directly, use -# -# acl FTP proto FTP -# always_direct allow FTP -# -# NOTE: There is a similar, but opposite option named -# 'never_direct'. You need to be aware that "always_direct deny -# foo" is NOT the same thing as "never_direct allow foo". You -# may need to use a deny rule to exclude a more-specific case of -# some other rule. Example: -# -# acl local-external dstdomain external.foo.net -# acl local-servers dstdomain .foo.net -# always_direct deny local-external -# always_direct allow local-servers -# -# This option replaces some v1.1 options such as local_domain -# and local_ip. -# -#Default: -# none - -# TAG: never_direct -# Usage: never_direct allow|deny [!]aclname ... -# -# never_direct is the opposite of always_direct. Please read -# the description for always_direct if you have not already. -# -# With 'never_direct' you can use ACL elements to specify -# requests which should NEVER be forwarded directly to origin -# servers. For example, to force the use of a proxy for all -# requests, except those in your local domain use something like: -# -# acl local-servers dstdomain .foo.net -# acl all src 0.0.0.0/0.0.0.0 -# never_direct deny local-servers -# never_direct allow all -# -# or if squid is inside a firewall and there is local intranet -# servers inside the firewall then use something like: -# -# acl local-intranet dstdomain .foo.net -# acl local-external dstdomain external.foo.net -# always_direct deny local-external -# always_direct allow local-intranet -# never_direct allow all -# -# This option replaces some v1.1 options such as inside_firewall -# and firewall_ip. -# -#Default: -# none - -# TAG: header_access -# Usage: header_access header_name allow|deny [!]aclname ... -# -# WARNING: Doing this VIOLATES the HTTP standard. Enabling -# this feature could make you liable for problems which it -# causes. -# -# This option replaces the old 'anonymize_headers' and the -# older 'http_anonymizer' option with something that is much -# more configurable. This new method creates a list of ACLs -# for each header, allowing you very fine-tuned header -# mangling. -# -# You can only specify known headers for the header name. -# Other headers are reclassified as 'Other'. You can also -# refer to all the headers with 'All'. -# -# For example, to achieve the same behaviour as the old -# 'http_anonymizer standard' option, you should use: -# -# header_access From deny all -# header_access Referer deny all -# header_access Server deny all -# header_access User-Agent deny all -# header_access WWW-Authenticate deny all -# header_access Link deny all -# -# Or, to reproduce the old 'http_anonymizer paranoid' feature -# you should use: -# -# header_access Allow allow all -# header_access Authorization allow all -# header_access WWW-Authenticate allow all -# header_access Cache-Control allow all -# header_access Content-Encoding allow all -# header_access Content-Length allow all -# header_access Content-Type allow all -# header_access Date allow all -# header_access Expires allow all -# header_access Host allow all -# header_access If-Modified-Since allow all -# header_access Last-Modified allow all -# header_access Location allow all -# header_access Pragma allow all -# header_access Accept allow all -# header_access Accept-Charset allow all -# header_access Accept-Encoding allow all -# header_access Accept-Language allow all -# header_access Content-Language allow all -# header_access Mime-Version allow all -# header_access Retry-After allow all -# header_access Title allow all -# header_access Connection allow all -# header_access Proxy-Connection allow all -# header_access All deny all -# -# By default, all headers are allowed (no anonymizing is -# performed). -# -#Default: -# none - -# TAG: header_replace -# Usage: header_replace header_name message -# Example: header_replace User-Agent Nutscrape/1.0 (CP/M; 8-bit) -# -# This option allows you to change the contents of headers -# denied with header_access above, by replacing them with -# some fixed string. This replaces the old fake_user_agent -# option. -# -# By default, headers are removed if denied. -# -#Default: -# none - -# TAG: icon_directory -# Where the icons are stored. These are normally kept in -# /usr/share/squid/icons -# -#Default: -# icon_directory /usr/share/squid/icons - -# TAG: short_icon_urls -# If this is enabled then Squid will use short URLs for icons. -# -# If off then the URLs for icons will always be absolute URLs -# including the proxy name and port. -# -#Default: -# short_icon_urls off - -# TAG: error_directory -# If you wish to create your own versions of the default -# (English) error files, either to customize them to suit your -# language or company copy the template English files to another -# directory and point this tag at them. -# -#Default: -# error_directory /usr/share/squid/errors/English - -# TAG: maximum_single_addr_tries -# This sets the maximum number of connection attempts for a -# host that only has one address (for multiple-address hosts, -# each address is tried once). -# -# The default value is one attempt, the (not recommended) -# maximum is 255 tries. A warning message will be generated -# if it is set to a value greater than ten. -# -# Note: This is in addition to the request reforwarding which -# takes place if Squid fails to get a satisfying response. -# -#Default: -# maximum_single_addr_tries 1 - -# TAG: snmp_port -# Squid can now serve statistics and status information via SNMP. -# By default it listens to port 3401 on the machine. If you don't -# wish to use SNMP, set this to "0". -# -#Default: -# snmp_port 3401 - -# TAG: snmp_access -# Allowing or denying access to the SNMP port. -# -# All access to the agent is denied by default. -# usage: -# -# snmp_access allow|deny [!]aclname ... -# -#Example: -# snmp_access allow snmppublic localhost -# snmp_access deny all -# -#Default: -# snmp_access deny all - -# TAG: snmp_incoming_address -# TAG: snmp_outgoing_address -# Just like 'udp_incoming_address' above, but for the SNMP port. -# -# snmp_incoming_address is used for the SNMP socket receiving -# messages from SNMP agents. -# snmp_outgoing_address is used for SNMP packets returned to SNMP -# agents. -# -# The default snmp_incoming_address (0.0.0.0) is to listen on all -# available network interfaces. -# -# If snmp_outgoing_address is set to 255.255.255.255 (the default) -# then it will use the same socket as snmp_incoming_address. Only -# change this if you want to have SNMP replies sent using another -# address than where this Squid listens for SNMP queries. -# -# NOTE, snmp_incoming_address and snmp_outgoing_address can not have -# the same value since they both use port 3401. -# -#Default: -# snmp_incoming_address 0.0.0.0 -# snmp_outgoing_address 255.255.255.255 - -# TAG: as_whois_server -# WHOIS server to query for AS numbers. NOTE: AS numbers are -# queried only when Squid starts up, not for every request. -# -#Default: -# as_whois_server whois.ra.net -# as_whois_server whois.ra.net - -# TAG: wccp_router -# Use this option to define your WCCP ``home'' router for -# Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) -# disables WCCP. -# -#Default: -# wccp_router 0.0.0.0 - -# TAG: wccp_version -# According to some users, Cisco IOS 11.2 only supports WCCP -# version 3. If you're using that version of IOS, change -# this value to 3. -# -#Default: -# wccp_version 4 - -# TAG: wccp_incoming_address -# TAG: wccp_outgoing_address -# wccp_incoming_address Use this option if you require WCCP -# messages to be received on only one -# interface. Do NOT use this option if -# you're unsure how many interfaces you -# have, or if you know you have only one -# interface. -# -# wccp_outgoing_address Use this option if you require WCCP -# messages to be sent out on only one -# interface. Do NOT use this option if -# you're unsure how many interfaces you -# have, or if you know you have only one -# interface. -# -# The default behavior is to not bind to any specific address. -# -# NOTE, wccp_incoming_address and wccp_outgoing_address can not have -# the same value since they both use port 2048. -# -#Default: -# wccp_incoming_address 0.0.0.0 -# wccp_outgoing_address 255.255.255.255 - - -# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) -# ----------------------------------------------------------------------------- - -# TAG: delay_pools -# This represents the number of delay pools to be used. For example, -# if you have one class 2 delay pool and one class 3 delays pool, you -# have a total of 2 delay pools. -# -#Default: -# delay_pools 0 - -# TAG: delay_class -# This defines the class of each delay pool. There must be exactly one -# delay_class line for each delay pool. For example, to define two -# delay pools, one of class 2 and one of class 3, the settings above -# and here would be: -# -#Example: -# delay_pools 2 # 2 delay pools -# delay_class 1 2 # pool 1 is a class 2 pool -# delay_class 2 3 # pool 2 is a class 3 pool -# -# The delay pool classes are: -# -# class 1 Everything is limited by a single aggregate -# bucket. -# -# class 2 Everything is limited by a single aggregate -# bucket as well as an "individual" bucket chosen -# from bits 25 through 32 of the IP address. -# -# class 3 Everything is limited by a single aggregate -# bucket as well as a "network" bucket chosen -# from bits 17 through 24 of the IP address and a -# "individual" bucket chosen from bits 17 through -# 32 of the IP address. -# -# NOTE: If an IP address is a.b.c.d -# -> bits 25 through 32 are "d" -# -> bits 17 through 24 are "c" -# -> bits 17 through 32 are "c * 256 + d" -# -#Default: -# none - -# TAG: delay_access -# This is used to determine which delay pool a request falls into. -# The first matched delay pool is always used, i.e., if a request falls -# into delay pool number one, no more delay are checked, otherwise the -# rest are checked in order of their delay pool number until they have -# all been checked. For example, if you want some_big_clients in delay -# pool 1 and lotsa_little_clients in delay pool 2: -# -#Example: -# delay_access 1 allow some_big_clients -# delay_access 1 deny all -# delay_access 2 allow lotsa_little_clients -# delay_access 2 deny all -# -#Default: -# none - -# TAG: delay_parameters -# This defines the parameters for a delay pool. Each delay pool has -# a number of "buckets" associated with it, as explained in the -# description of delay_class. For a class 1 delay pool, the syntax is: -# -#delay_parameters pool aggregate -# -# For a class 2 delay pool: -# -#delay_parameters pool aggregate individual -# -# For a class 3 delay pool: -# -#delay_parameters pool aggregate network individual -# -# The variables here are: -# -# pool a pool number - ie, a number between 1 and the -# number specified in delay_pools as used in -# delay_class lines. -# -# aggregate the "delay parameters" for the aggregate bucket -# (class 1, 2, 3). -# -# individual the "delay parameters" for the individual -# buckets (class 2, 3). -# -# network the "delay parameters" for the network buckets -# (class 3). -# -# A pair of delay parameters is written restore/maximum, where restore is -# the number of bytes (not bits - modem and network speeds are usually -# quoted in bits) per second placed into the bucket, and maximum is the -# maximum number of bytes which can be in the bucket at any time. -# -# For example, if delay pool number 1 is a class 2 delay pool as in the -# above example, and is being used to strictly limit each host to 64kbps -# (plus overheads), with no overall limit, the line is: -# -#delay_parameters 1 -1/-1 8000/8000 -# -# Note that the figure -1 is used to represent "unlimited". -# -# And, if delay pool number 2 is a class 3 delay pool as in the above -# example, and you want to limit it to a total of 256kbps (strict limit) -# with each 8-bit network permitted 64kbps (strict limit) and each -# individual host permitted 4800bps with a bucket maximum size of 64kb -# to permit a decent web page to be downloaded at a decent speed -# (if the network is not being limited due to overuse) but slow down -# large downloads more significantly: -# -#delay_parameters 2 32000/32000 8000/8000 600/8000 -# -# There must be one delay_parameters line for each delay pool. -# -#Default: -# none - -# TAG: delay_initial_bucket_level (percent, 0-100) -# The initial bucket percentage is used to determine how much is put -# in each bucket when squid starts, is reconfigured, or first notices -# a host accessing it (in class 2 and class 3, individual hosts and -# networks only have buckets associated with them once they have been -# "seen" by squid). -# -#Default: -# delay_initial_bucket_level 50 - -# TAG: incoming_icp_average -# TAG: incoming_http_average -# TAG: incoming_dns_average -# TAG: min_icp_poll_cnt -# TAG: min_dns_poll_cnt -# TAG: min_http_poll_cnt -# Heavy voodoo here. I can't even believe you are reading this. -# Are you crazy? Don't even think about adjusting these unless -# you understand the algorithms in comm_select.c first! -# -#Default: -# incoming_icp_average 6 -# incoming_http_average 4 -# incoming_dns_average 4 -# min_icp_poll_cnt 8 -# min_dns_poll_cnt 8 -# min_http_poll_cnt 8 - -# TAG: max_open_disk_fds -# To avoid having disk as the I/O bottleneck Squid can optionally -# bypass the on-disk cache if more than this amount of disk file -# descriptors are open. -# -# A value of 0 indicates no limit. -# -#Default: -# max_open_disk_fds 0 - -# TAG: offline_mode -# Enable this option and Squid will never try to validate cached -# objects. -# -#Default: -# offline_mode off - -# TAG: uri_whitespace -# What to do with requests that have whitespace characters in the -# URI. Options: -# -# strip: The whitespace characters are stripped out of the URL. -# This is the behavior recommended by RFC2396. -# deny: The request is denied. The user receives an "Invalid -# Request" message. -# allow: The request is allowed and the URI is not changed. The -# whitespace characters remain in the URI. Note the -# whitespace is passed to redirector processes if they -# are in use. -# encode: The request is allowed and the whitespace characters are -# encoded according to RFC1738. This could be considered -# a violation of the HTTP/1.1 -# RFC because proxies are not allowed to rewrite URI's. -# chop: The request is allowed and the URI is chopped at the -# first whitespace. This might also be considered a -# violation. -# -#Default: -# uri_whitespace strip - -# TAG: broken_posts -# A list of ACL elements which, if matched, causes Squid to send -# an extra CRLF pair after the body of a PUT/POST request. -# -# Some HTTP servers has broken implementations of PUT/POST, -# and rely on an extra CRLF pair sent by some WWW clients. -# -# Quote from RFC 2068 section 4.1 on this matter: -# -# Note: certain buggy HTTP/1.0 client implementations generate an -# extra CRLF's after a POST request. To restate what is explicitly -# forbidden by the BNF, an HTTP/1.1 client must not preface or follow -# a request with an extra CRLF. -# -#Example: -# acl buggy_server url_regex ^http://.... -# broken_posts allow buggy_server -# -#Default: -# none - -# TAG: mcast_miss_addr -# Note: This option is only available if Squid is rebuilt with the -# -DMULTICAST_MISS_STREAM option -# -# If you enable this option, every "cache miss" URL will -# be sent out on the specified multicast address. -# -# Do not enable this option unless you are are absolutely -# certain you understand what you are doing. -# -#Default: -# mcast_miss_addr 255.255.255.255 - -# TAG: mcast_miss_ttl -# Note: This option is only available if Squid is rebuilt with the -# -DMULTICAST_MISS_TTL option -# -# This is the time-to-live value for packets multicasted -# when multicasting off cache miss URLs is enabled. By -# default this is set to 'site scope', i.e. 16. -# -#Default: -# mcast_miss_ttl 16 - -# TAG: mcast_miss_port -# Note: This option is only available if Squid is rebuilt with the -# -DMULTICAST_MISS_STREAM option -# -# This is the port number to be used in conjunction with -# 'mcast_miss_addr'. -# -#Default: -# mcast_miss_port 3135 - -# TAG: mcast_miss_encode_key -# Note: This option is only available if Squid is rebuilt with the -# -DMULTICAST_MISS_STREAM option -# -# The URLs that are sent in the multicast miss stream are -# encrypted. This is the encryption key. -# -#Default: -# mcast_miss_encode_key XXXXXXXXXXXXXXXX - -# TAG: nonhierarchical_direct -# By default, Squid will send any non-hierarchical requests -# (matching hierarchy_stoplist or not cachable request type) direct -# to origin servers. -# -# If you set this to off, then Squid will prefer to send these -# requests to parents. -# -# Note that in most configurations, by turning this off you will only -# add latency to these request without any improvement in global hit -# ratio. -# -# If you are inside an firewall then see never_direct instead of -# this directive. -# -#Default: -# nonhierarchical_direct on - -# TAG: prefer_direct -# Normally Squid tries to use parents for most requests. If you by some -# reason like it to first try going direct and only use a parent if -# going direct fails then set this to on. -# -# By combining nonhierarchical_direct off and prefer_direct on you -# can set up Squid to use a parent as a backup path if going direct -# fails. -# -# Note: If you want Squid to use parents for all requests then see -# the never_direct directive. prefer_direct only modifies how Squid -# acts on cachable requests. -# -#Default: -# prefer_direct off - -# TAG: strip_query_terms -# By default, Squid strips query terms from requested URLs before -# logging. This protects your user's privacy. -# -#Default: -# strip_query_terms on - -# TAG: coredump_dir -# By default Squid leaves core files in the directory from where -# it was started. If you set 'coredump_dir' to a directory -# that exists, Squid will chdir() to that directory at startup -# and coredump files will be left there. -# -#Default: -# coredump_dir none -# -# Leave coredumps in the first cache dir -coredump_dir /var/spool/squid - -# TAG: redirector_bypass -# When this is 'on', a request will not go through the -# redirector if all redirectors are busy. If this is 'off' -# and the redirector queue grows too large, Squid will exit -# with a FATAL error and ask you to increase the number of -# redirectors. You should only enable this if the redirectors -# are not critical to your caching system. If you use -# redirectors for access control, and you enable this option, -# then users may have access to pages that they should not -# be allowed to request. -# -#Default: -# redirector_bypass off - -# TAG: ignore_unknown_nameservers -# By default Squid checks that DNS responses are received -# from the same IP addresses that they are sent to. If they -# don't match, Squid ignores the response and writes a warning -# message to cache.log. You can allow responses from unknown -# nameservers by setting this option to 'off'. -# -#Default: -# ignore_unknown_nameservers on - -# TAG: digest_generation -# This controls whether the server will generate a Cache Digest -# of its contents. By default, Cache Digest generation is -# enabled if Squid is compiled with USE_CACHE_DIGESTS defined. -# -#Default: -# digest_generation on - -# TAG: digest_bits_per_entry -# This is the number of bits of the server's Cache Digest which -# will be associated with the Digest entry for a given HTTP -# Method and URL (public key) combination. The default is 5. -# -#Default: -# digest_bits_per_entry 5 - -# TAG: digest_rebuild_period (seconds) -# This is the number of seconds between Cache Digest rebuilds. -# -#Default: -# digest_rebuild_period 1 hour - -# TAG: digest_rewrite_period (seconds) -# This is the number of seconds between Cache Digest writes to -# disk. -# -#Default: -# digest_rewrite_period 1 hour - -# TAG: digest_swapout_chunk_size (bytes) -# This is the number of bytes of the Cache Digest to write to -# disk at a time. It defaults to 4096 bytes (4KB), the Squid -# default swap page. -# -#Default: -# digest_swapout_chunk_size 4096 bytes - -# TAG: digest_rebuild_chunk_percentage (percent, 0-100) -# This is the percentage of the Cache Digest to be scanned at a -# time. By default it is set to 10% of the Cache Digest. -# -#Default: -# digest_rebuild_chunk_percentage 10 - -# TAG: chroot -# Use this to have Squid do a chroot() while initializing. This -# also causes Squid to fully drop root privileges after -# initializing. This means, for example, that if you use a HTTP -# port less than 1024 and try to reconfigure, you will get an -# error. -# -#Default: -# none - -# TAG: client_persistent_connections -# TAG: server_persistent_connections -# Persistent connection support for clients and servers. By -# default, Squid uses persistent connections (when allowed) -# with its clients and servers. You can use these options to -# disable persistent connections with clients and/or servers. -# -#Default: -# client_persistent_connections on -# server_persistent_connections on - -# TAG: detect_broken_pconn -# Some servers have been found to incorrectly signal the use -# of HTTP/1.0 persistent connections even on replies not -# compatible, causing significant delays. This server problem -# has mostly been seen on redirects. -# -# By enabling this directive Squid attempts to detect such -# broken replies and automatically assume the reply is finished -# after 10 seconds timeout. -# -#Default: -# detect_broken_pconn off - -# TAG: pipeline_prefetch -# To boost the performance of pipelined requests to closer -# match that of a non-proxied environment Squid can try to fetch -# up to two requests in parallell from a pipeline. -# -# Defaults to off for bandwidth management and access logging -# reasons. -# -#Default: -# pipeline_prefetch off - -# TAG: extension_methods -# Squid only knows about standardized HTTP request methods. -# You can add up to 20 additional "extension" methods here. -# -#Default: -# none - -# TAG: request_entities -# Squid defaults to deny GET and HEAD requests with request entities, -# as the meaning of such requests are undefined in the HTTP standard -# even if not explicitly forbidden. -# -# Set this directive to on if you have clients which insists -# on sending request entities in GET or HEAD requests. -# -#Default: -# request_entities off - -# TAG: high_response_time_warning (msec) -# If the one-minute median response time exceeds this value, -# Squid prints a WARNING with debug level 0 to get the -# administrators attention. The value is in milliseconds. -# -#Default: -# high_response_time_warning 0 - -# TAG: high_page_fault_warning -# If the one-minute average page fault rate exceeds this -# value, Squid prints a WARNING with debug level 0 to get -# the administrators attention. The value is in page faults -# per second. -# -#Default: -# high_page_fault_warning 0 - -# TAG: high_memory_warning -# If the memory usage (as determined by mallinfo) exceeds -# value, Squid prints a WARNING with debug level 0 to get -# the administrators attention. -# -#Default: -# high_memory_warning 0 - -# TAG: store_dir_select_algorithm -# Set this to 'round-robin' as an alternative. -# -#Default: -# store_dir_select_algorithm least-load - -# TAG: forward_log -# Note: This option is only available if Squid is rebuilt with the -# -DWIP_FWD_LOG option -# -# Logs the server-side requests. -# -# This is currently work in progress. -# -#Default: -# none - -# TAG: ie_refresh on|off -# Microsoft Internet Explorer up until version 5.5 Service -# Pack 1 has an issue with transparent proxies, wherein it -# is impossible to force a refresh. Turning this on provides -# a partial fix to the problem, by causing all IMS-REFRESH -# requests from older IE versions to check the origin server -# for fresh content. This reduces hit ratio by some amount -# (~10% in my experience), but allows users to actually get -# fresh content when they want it. Note that because Squid -# cannot tell if the user is using 5.5 or 5.5SP1, the behavior -# of 5.5 is unchanged from old versions of Squid (i.e. a -# forced refresh is impossible). Newer versions of IE will, -# hopefully, continue to have the new behavior and will be -# handled based on that assumption. This option defaults to -# the old Squid behavior, which is better for hit ratios but -# worse for clients using IE, if they need to be able to -# force fresh content. -# -#Default: -# ie_refresh off - -# TAG: vary_ignore_expire on|off -# Many HTTP servers supporting Vary gives such objects -# immediate expiry time with no cache-control header -# when requested by a HTTP/1.0 client. This option -# enables Squid to ignore such expiry times until -# HTTP/1.1 is fully implemented. -# WARNING: This may eventually cause some varying -# objects not intended for caching to get cached. -# -#Default: -# vary_ignore_expire off - -# TAG: sleep_after_fork (microseconds) -# When this is set to a non-zero value, the main Squid process -# sleeps the specified number of microseconds after a fork() -# system call. This sleep may help the situation where your -# system reports fork() failures due to lack of (virtual) -# memory. Note, however, that if you have a lot of child -# processes, then these sleep delays will add up and your -# Squid will not service requests for some amount of time -# until all the child processes have been started. -# -#Default: -# sleep_after_fork 0 - diff --git a/contrib/altlinux/init.ldif b/contrib/altlinux/init.ldif deleted file mode 100644 index 9545ecfb9..000000000 --- a/contrib/altlinux/init.ldif +++ /dev/null @@ -1,124 +0,0 @@ -dn: dc=example,dc=com -objectClass: top -objectClass: dcObject -objectClass: organization -objectClass: gosaDepartment -dc: example -o: Example Inc. -ou: example -description: Main building - -dn: ou=Apps,dc=example,dc=com -objectClass: organizationalUnit -ou: Apps - -dn: cn=gosa,ou=Apps,dc=example,dc=com -objectClass: top -objectClass: applicationProcess -objectClass: simpleSecurityObject -userPassword: gosa -cn: gosa - -dn: cn=smbpasswd,ou=Apps,dc=example,dc=com -objectClass: top -objectClass: applicationProcess -objectClass: simpleSecurityObject -cn: smbpasswd -userPassword: smbpasswd - -dn: cn=cyrus,ou=Apps,dc=example,dc=com -objectClass: top -objectClass: applicationProcess -objectClass: simpleSecurityObject -cn: cyrus -userPassword: cyrus - -dn: cn=saslauthd,ou=Apps,dc=example,dc=com -objectClass: top -objectClass: applicationProcess -objectClass: simpleSecurityObject -cn: saslauthd -userPassword: saslauthd - -dn: ou=Admins,dc=example,dc=com -objectClass: organizationalUnit -ou: Admins -description: Directory administrators - -dn: cn=admin,ou=Admins,dc=example,dc=com -objectClass: person -cn: admin -sn: admin -userPassword: secret - -dn: ou=People,dc=example,dc=com -objectClass: organizationalUnit -ou: People - -dn: uid=administrator,ou=People,dc=example,dc=com -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: inetOrgPerson -objectClass: gosaAccount -userPassword: secret -sn: System -cn: administrator -givenName: Administrator -uid: administrator - -dn: ou=Groups,dc=example,dc=com -objectClass: organizationalUnit -ou: Groups - -dn: cn=administrator,ou=Groups,dc=example,dc=com -objectClass: top -objectClass: gosaObject -objectClass: posixGroup -gosaSubtreeACL:: OmFsbA== -cn: administrator -gidNumber: 999 -memberUid: administrator - -dn: ou=Computers,dc=example,dc=com -objectClass: organizationalUnit -ou: Computers - -dn: uid=pdc$,ou=Computers,dc=example,dc=com -objectClass: top -objectClass: account -objectClass: goImapServer -uid: pdc$ -cn: localhost -goImapName: mail.example.lan -goImapConnect: {localhost:143} -goImapAdmin: cyrus -goImapSieveServer: localhost -goImapSievePort: 2000 -goImapPassword: cyrus - -dn: dc=branch,dc=example,dc=com -objectClass: top -objectClass: dcObject -objectClass: organizationalUnit -objectClass: gosaDepartment -dc: branch -ou: branch -description: Remote branch - -dn: ou=Addressbook,dc=example,dc=com -objectClass: organizationalUnit -ou: Addressbook - -dn: ou=Systems,dc=example,dc=com -objectClass: organizationalUnit -ou: Systems - -dn: ou=configs,ou=systems,dc=example,dc=com -objectClass: organizationalUnit -ou: configs - -dn: ou=gosa,ou=configs,ou=systems,dc=example,dc=com -objectClass: organizationalUnit -ou: gosa - -- 2.30.2