# Generated automatically from squid.conf.pre.in by configure. # # $Id: squid.conf.pre.in,v 1.93.2.2 1997/03/03 17:26:48 wessels Exp $ # cache_effective_user squidadm # TAG: http_port # The port number where squid will listen for HTTP client # requests. Default is 3128, for httpd-accel mode use port 80. # May be overridden with -a on the command line. # http_port 3128 # TAG: icp_port # The port number where squid send and receive ICP requests to # and from neighbor caches. Default is 3130. To disable use # "0". May be overridden with -u on the command line. # icp_port 3130 # TAG: mcast_groups # This tag specifies a list of multicast groups which your # server should join to receive multicasted ICP requests. # # Usage: mcast_groups 239.128.16.128 224.0.1.20 # # By default, squid doesn't listen on any multicast groups. # #mcast_groups 239.128.16.128 # TAG: tcp_incoming_address # TAG: tcp_outgoing_address # TAG: udp_incoming_address # TAG: udp_outgoing_address # # Usage: tcp_incoming_address 10.20.30.40 # udp_outgoing_address fully.qualified.domain.name # # These tags have replaced 'bind_address' and 'outbound_address' # to provide more control for multihomed hosts. # # tcp_incoming_address is used for the HTTP socket which accepts # connections from clients and other caches. # tcp_outgoing_address is used for connections made to remote # servers and other caches. # udp_incoming_address is used for the ICP socket receiving packets # from other caches. # udp_outgoing_address is used for ICP packets sent out to other # caches. # # The defaults behaviour is to not bind to any specific address. # # NOTE, udp_incoming_address and udp_outgoing_address can not have # the same value since they both use port 3130. # #tcp_incoming_address 0.0.0.0 #tcp_outgoing_address 0.0.0.0 #udp_incoming_address 0.0.0.0 #udp_outgoing_address 0.0.0.0 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM #----------------------------------------------------------------------------- # TAG: cache_host # To specify other caches in a hierarchy, use the format: # # hostname type http_port icp_port # # For example, # # # proxy icp # # hostname type port port options # # -------------------- -------- ----- ----- ----------- # cache_host bigserver.usc.edu parent 3128 3130 [proxy-only] # cache_host littleguy1.usc.edu sibling 3128 3130 [proxy-only] # cache_host littleguy1.usc.edu sibling 3128 3130 [proxy-only] # # type: either 'parent', 'sibling', or 'multicast'. # # proxy_port: The port number where the cache listens for proxy # requests. # # icp_port: Used for querying neighbor caches about # objects. To have a non-ICP neighbor # specify '7' for the ICP port and make sure the # neighbor machine has the UDP echo port # enabled in its /etc/inetd.conf file. # # options: proxy-only # weight=n # ttl=n # no-query # default # round-robin # multicast-responder # # use 'proxy-only' to specify that objects fetched # from this cache should not be saved locally. # # use 'weight=n' to specify a weighted parent. # The weight must be an integer. The default weight # is 1, larger weights are favored more. # # use 'ttl=n' to specify a IP multicast TTL to use # when sending an ICP request to this address. # Only useful when sending to a multicast group. # Because we don't accept ICP replies from random # hosts, you must configure other group members as # peers with the 'multicast-responder' option below. # # use 'no-query' to NOT send ICP queries to this # neighbor. # # use 'default' if this is a parent cache which can # be used as a "last-resort." You should probably # only use 'default' in situations where you cannot # use ICP with your parent cache(s). # # use 'round-robin' to define a set of parents which # should be used in a round-robin fashion in the # absence of any ICP queries. # # 'multicast-responder' indicates that the named peer # is a member of a multicast group. ICP queries will # not be sent directly to the peer, but ICP replies # will be accepted from it. # # NOTE: non-ICP neighbors must be specified as 'parent'. # #cache_host hostname type 3128 3130 # 1.¤£³]©w parent : #cache_host proxy.edu.tw parent 3128 3130 default #cache_host proxy.edu.tw parent 3128 3130 weight=9 round-robin #cache_host twcache.sinica.edu.tw parent 3128 3130 weight=5 round-robin # 2.³]©w sibling : ½Ð¥h±¼¶Q°Ïºôªºproxy #cache_host ccproxy1.nsysu.edu.tw sibling 3128 3130 #cache_host ccproxy2.nsysu.edu.tw sibling 3128 3130 #cache_host proxy.ccu.edu.tw sibling 3128 3130 #cache_host w3-gate.nctu.edu.tw sibling 3128 3130 #cache_host w3-gate2.nctu.edu.tw sibling 3128 3130 cache_host gate2.ncku.edu.tw sibling 3128 3130 cache_host proxy.ncku.edu.tw sibling 3128 3130 cache_host proxy2.ncku.edu.tw sibling 3128 3130 # TAG: cache_host_domain # Use to limit the domains for which a neighbor cache will be queried. # Usage: # # cache_host_domain cache-host domain [domain ...] # cache_host_domain cache-host !domain # # For example, specifying # # cache_host_domain bigserver.usc.edu .edu # # has the effect such that UDP query packets are sent to # 'bigserver' only when the requested object exists on a # server in the .edu domain. Prefixing the domainname # with '!' means that the cache will be queried for objects # NOT in that domain. # # NOTE: * Any number of domains may be given for a cache-host, # either on the same or separate lines. # * When multiple domains are given for a particular # cache-host, the first matched domain is applied. # * Cache hosts with no domain restrictions are queried # for all requests. # * There are no defaults. # * There is also a 'cache_host_acl' tag in the ACL # section. # TAG: neighbor_type_domain # # usage: neighbor_type_domain parent|sibling domain domain ... # # Modifying the neighbor type for specific domains is now # possible. You can treat some domains differently than the the # default neighbor type specified on the 'cache_host' line. # Normally it should only be necessary to list domains which # should be treated differently because the default neighbor type # applies for hostnames which do not match domains listed here. # #EXAMPLE: # cache_host parent cache.foo.org 3128 3130 # neighbor_type_domain cache.foo.org sibling .com .net # neighbor_type_domain cache.foo.org sibling .au .de # TAG: inside_firewall # This tag specifies a list of domains inside your Internet # firewall. # # Usage: inside_firewall my.domain [ my.other.domain ...] # # The use of this tag affects the server selection algorithm in # two ways. Objects which do not match any of the listed domains # will be considered "beyond the firewall." For these:" # - There will be no DNS lookups for the URL-host. # - The object will always be fetched from one of # the parent or neighbor caches. # # As a special case you may specify the domain as 'none' to force # all requests to be fetched from neghbors and parents. # #inside_firewall topsecret.com # TAG: local_domain # This tag specifies a list of domains local to your organization. # # Usage: local_domain my.domain [ my.other.domain ...] # # For URLs which are in one of the local domains, the object # is always fetched directly from the source and never from a # neighbor or parent. # #local_domain bigbucks.com local_domain ncku.edu.tw # TAG: local_ip # This tag specifies a list of network addresses local to your # organization. # # Usage: local_ip ip-address # # This tag is similar to local_domain, except that the IP-address # of the URL-host is checked. This requires that a DNS lookup # be done on the URL-host. For this reason, local_domain is # preferred over local_ip. By using local_domain it may be # possible to avoid the DNS lookup altogether and deliver the # object with less delay. # #local_ip 10.0.0.0 #local_ip 172.16.0.0 local_ip 140.116.0.0 # TAG: firewall_ip # # Just like 'inside_firewall' but for IP addresses. NOTE: # firewall_ip and local_ip are mutually exclusive. If you # use firewall_ip then local_ip will be ignored. # #firewall_ip 10.0.0.0 #firewall_ip 172.16.0.0 # TAG: single_parent_bypass # This tag specifies that it is okay to bypass the hierarchy # "Pinging" when there is only a single parent for a given URL. # # Usage: single_parent_bypass on|off # # Before actually sending ICP "ping" packets to parents and # neighbors, we figure out which hosts would be pinged based # on the cache_host_domain rules, etc. Often it may be the # case that only a single parent cache would be pinged. # # Since there is only a single parent, there is a very good # chance that we will end up fetching the object from that # parent. For this reason, it may be beneficial to avoid # the ping and just fetch the object anyway. # # However, if we avoid the ping, we will be assuming that the # parent host is reachable and that the cache process is running. # By using the ping, we can be reasonably sure that the parent # host will be able to handle our request. If the ping fails then # it may be possible to fetch the object directly from the source. # # To favor the resiliency provided by the ping algorithm, # single_parent_bypass is 'off' by default. # #single_parent_bypass off # TAG: source_ping # If source_ping is enabled, then squid will include the source # provider site in its selection algorithm. This is accomplished # by sending ICP "HIT" packets to the UDP echo port of the source # host. Note that using source_ping may send a fair amount of UDP # traffic out on the Internet and may irritate paranoid network # administrators. # # Note that source_ping is incompatible with inside_firewall. # For hosts beyond the firewall, source_ping packets will never # be sent. # # By default, source_ping is off. # #source_ping off # TAG: neighbor_timeout (seconds) # This controls how long to wait for replies from neighbor caches. # If none of the parent or neighbor caches reply before this many # seconds (due to dropped packets or slow links), then the object # request will be satisfied from the default source. The default # timeout is two seconds. # #neighbor_timeout 2 neighbor_timeout 1 # TAG: hierarchy_stoplist # A list of words which, if found in a URL, cause the object to # be handled directly by this cache. In other words, use this # to not query neighbor caches for certain objects. You may # list this option multiple times. # # The default is to directly fetch URLs containing 'cgi-bin' or '?'. # hierarchy_stoplist cgi-bin ? .cgi/ hierarchy_stoplist ncku.edu.tw 140.116 # TAG: cache_stoplist # A list of words which, if found in a URL, cause the object to # immediately removed from the cache. In other words, use this # to force certain objects to never be cached. You may list this # option multiple times. # # The default is to not cache URLs containing 'cgi-bin' or '?'. # #cache_stoplist cgi-bin ? cache_stoplist cgi-bin ? .cgi/ cache_stoplist ncku.edu.tw 140.116 # TAG: cache_stoplist_pattern # case sensitive # TAG: cache_stoplist_pattern/i # case insensitive # # Just like 'cache_stoplist' but you can use regular expressions # instead of simple string matching. There is no default. # #cache_stoplist_pattern # OPTIONS WHICH AFFECT THE CACHE SIZE #----------------------------------------------------------------------------- # # TAG: cache_mem (in megabytes) # Maximum amout of VM used to store objects in memory. # This includes: # in-transit objects, # negative-cached objects, # "hot" objects # The value of cache_mem is an upper limit on the size of the # "in-memory object data" pool. This is a pool of 4k pages used # to hold object data. # # In-transit objects have priority over the others. When # additional space is needed for incoming data, negative-cached # and hot objects will be released. In other words, the # negative-cached and hot objects will fill up any unused space # not needed for in-transit objects. # # The values of cache_mem_low and cache_mem_high (below) can be # used to tune the use of the memory pool. When the high mark is # reached, in-transit and hot objects will be released to clear # space. When an object transfer is completed, it will remain in # memory only if the current memory usage is below the low water # mark. # # The default is 8 Megabytes. # #cache_mem 8 cache_mem 64 # TAG: cache_swap (in megabytes) # Maximum about of disk space used by the cache. The default is # 100 megabytes. When the disk usage gets to this size, the cache # uses LRU replacement to evict objects as new objects are cached. # Note that cache_swap is set to: # max(cache_mem, cache_swap_specified) # to guard against users' accidentally specifying a smaller # cache_swap than cache_mem size. # #cache_swap 100 cache_swap 8200 # TAG: cache_swap_low (percent, 0-100) # TAG: cache_swap_high (percent, 0-100) # The low- and high-water marks for cache LRU replacement. # LRU replacement begins when the high-water mark is reached # and ends when enough objects have been removed and the low-water # mark is reached. Defaults are 90% and 95%. # cache_swap_low 90 cache_swap_high 95 # TAG: cache_mem_low (in percent, 0-100) # TAG: cache_mem_high (in percent, 0-100) # The low- and high-water mark for cache memory storage. When # the amount of RAM used by the hot-object RAM cache reaches this # point, the cache starts throwing objects out of the RAM cache # (but they remain on disk). Defaults are 75% and 90%. # #cache_mem_low 75 #cache_mem_high 90 # TAG: maximum_object_size # Objects larger than this size will NOT be saved on disk. The # value is specified in kilobytes, and the default is 4MB. # #maximum_object_size 4096 maximum_object_size 4096 # TAG: ipcache_size (number of entries) # TAG: ipcache_low (percent) # TAG: ipcache_high (percent) # The size, low-, and high-water marks for the IP cache. # #ipcache_size 1024 #ipcache_low 90 #ipcache_high 95 # LOGFILE PATHNAMES AND CACHE DIRECTORIES #----------------------------------------------------------------------------- # TAG: cache_dir # Directory for on-disk cache storage. The cache will change into # this directory when running. The default is # /usr/local/squid/cache. # # You can specify multiple cache_dir lines to spread the # cache among different disk partitions. # cache_dir /usr/local/squid/cache # TAG: cache_access_log # Logs the client request activity. Contains an entry for # every HTTP and ICP request received. # cache_access_log /usr/local/squid/logs/access.log # TAG: cache_log # Cache logging file. Set logging levels with "debug_options" below. # cache_log /usr/local/squid/logs/cache.log # TAG: cache_store_log # Logs the activities of the storage manager. Shows which # objects are ejected from the cache, and which objects are # saved and for how long. To disable, enter "none". # cache_store_log none # TAG: cache_swap_log # Location for the cache "swap log." This log file holds the # metadata of objects saved on disk. It is used to rebuild the # cache during startup. Normally this file resides in the first # 'cache_dir' directory, but you may specify an alternate # pathname here. Note you must give a full filename, not just # a directory. # #cache_swap_log # TAG: emulate_httpd_log # The Cache can emulate the log file format which many 'httpd' # programs use. To disable/enable this emulation, set # emulate_httpd_log to 'off' or 'on'. The default # is to use the native log format. # emulate_httpd_log off # TAG: log_mime_hdrs # The Cache can record both the request and the response # MIME headers for each HTTP transaction. The headers are # encoded safely and will appear as two bracketed fields # at the end of the access log (for either the native # or httpd-emulated log formats). To enable this logging # set log_mime_hdrs to 'on'. # # NOTE: support for this may require you to define # LOG_FULL_HEADERS before compiling. # #log_mime_hdrs off # TAG: useragent_log # If compiled with "-DUSE_USERAGENT_LOG=1" Squid will write # the User-Agent field from HTTP requests to the filename # specified here. By default useragent_log is disabled. # #useragent_log /usr/local/squid/logs/useragent.log # TAG: pid_filename # A pathname to write the process-id to. To disable, enter "none". # pid_filename /usr/local/squid/logs/squid.pid # TAG: debug_options # Logging options are set as section,level where each source file # is assigned a unique section. Lower levels result in less # output, Full debugging (level 9) can result in a very large # log file, so be careful. The magic word "ALL" sets debugging # levels for all sections. We recommend normally running with # "ALL,1". # debug_options ALL,1 # TAG: ident_lookup # If you wish to make an RFC931/ident lookup of the client username # for each connection, enable this. It is off by default. # #ident_lookup off # TAG: log_fqdn # Turn this on if you wish to log fully qualified domain names # in the access.log. # log_fqdn on # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # #client_netmask 255.255.255.255 # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS #----------------------------------------------------------------------------- # TAG: ftpget_program # Where to find the 'ftpget' program that retrieves FTP data (HTTP # and Gopher protocol support are built into the cache). # # To disable ftpget and the ability to retrieve FTP objects, set # this to "none". Note that ftpget is automatically disabled for # http_accel mode. # ftpget_program /usr/local/squid/bin/ftpget # TAG: ftpget_options # Options for the 'ftpget' program. Please run 'ftpget' without # any arguments to see a list of options. The default is # no options. An example is # # ftpget_options -n 60 -R -W # #ftpget_options # If you want the anonymous login password to be more informative # (and enable the use of picky ftp servers), set this to something # resonable for your domain, like wwwuser@somewhere.net # # The reason why this is domainless by default is that the # request can be made on the behalf of a user in any domain, # depending on how the cache is used. # Some ftp server also validate that the email address is valid # (for example perl.com). # ftp_user squidadm@ # TAG: cache_dns_program # Specify the location of the executable for dnslookup process. # cache_dns_program /usr/local/squid/bin/dnsserver # TAG: dns_children # The number of processes spawn to service DNS name lookups. # For heavily loaded caches on large servers, you should # probably increase this value to at least 10. The maximum # is 32. The default is 5. # # To disable dnsservers, set this to 0. NOTE, this is very # strongly discouraged. If you disable dnsservers your Squid # process will BLOCK on DNS lookups! # #dns_children 5 dns_children 16 # TAG: dns_defnames # Normally the 'dnsserver' disables the RES_DEFNAMES resolver # option (see res_init(3)). This prevents caches in a hierarchy # from interpreting single-component hostnames locally. To allow # dnsserver to handle single-component names, enable this # option. # #dns_defnames off # TAG: redirect_program # Specify the location of the executable for the URL redirector. # Currently, you must provide your own redirector program. # See the Release-Notes for how to write one. # By default, the redirector is not used. # #redirect_program /bin/false # TAG: redirect_children # The number of redirector processes to spawn. # #redirect_children 5 # OPTIONS FOR TUNING THE CACHE #----------------------------------------------------------------------------- # TAG: wais_relay # Relay WAIS request to host (1st arg) at port (2 arg). # #wais_relay localhost 8000 # TAG: request_size # Maximum allowed request size in kilobytes. If people are using # POST to upload files, then set this to the largest acceptable # filesize plus a few extra kbytes. # #request_size 100 request_size 300 # TAG: refresh_pattern # case sensitive # TAG: refresh_pattern/i # case insensitive # # usage: refresh_pattern regex min percent max # # min and max are specified in MINUTES. # percent is an integer number. # # Please see the file doc/Release-Notes-1.1.txt for a full # description of Squid's refresh algorithm. Basically a # cached object is: # # FRESH if age < min # STALE if expires < now # STALE if age > max # FRESH if lm-factor < percent # # The refresh_pattern lines are checked in the order listed here. # The first entry which matches is used. If none of the entries # match, then the default will be used. # #Default: #refresh_pattern . 0 20% 4320 refresh_pattern ^http:// 21600 100% 43200 refresh_pattern ^ftp:// 10800 100% 43200 refresh_pattern/i \.jpg$ 2880 50% 43200 refresh_pattern/i \.gif$ 2880 50% 43200 refresh_pattern /cgi-bin/ 0 0% 43200 # TAG: reference_age (in minutes) # If set, objects which have not been referenced for this amount # of time will be purged from the cache. This is the only # parameter for removing cache objects except when the disk space # reaches the high water mark. By default reference_age is # computed dynamically so that the store swap size stays within # the low and high water mark limits. #reference_age 0 # TAG: quick_abort # By default the cache continues to retrieve objects from # aborted requests. This may be undesirable on slow (e.g. SLIP) # links and/or very busy caches. Impatient users may tie up # file descriptors by repeatedly aborting and re-requesting # non-cachable objects. # # Usage: quick_abort min-kbytes percent max-kbytes # # When the user aborts a request, Squid will check the # quick_abort values to the amount of data transfered until # then. # # If the transfer has less than 'min-kbytes' remaining, it # will finish the retrieval. Setting minlength to -1 will # disable the quick_abort feature. # # If the transfer has more than 'max-kbytes' remaining, it # will abort the retrieval. # # If more than 'percent' of the transfer has completed, it will # finish the retrieval. # quick_abort -1 0 0 #quick_abort 1 95 0 # TAG: negative_ttl (in minutes) # Time-to-Live (TTL) for failed requests. Certain types of # failures (such as "connection refused" and "404 Not Found") are # negatively-cached for a small amount of time. The default is 5 # minutes. Note that this is different from negative caching of # DNS lookups. # #negative_ttl 5 negative_ttl 5 # # TAG: positive_dns_ttl (in minutes) # Time-to-Live (TTL) for positive caching of successful DNS lookups. # Default is 6 hours (360 minutes). If you want to minimize the # use of Squid's ipcache, set this to 1, not 0. # #positive_dns_ttl 360 # TAG: negative_dns_ttl (in minutes) # Time-to-Live (TTL) for negative caching of failed DNS lookups. # #negative_dns_ttl 5 # TIMEOUTS #----------------------------------------------------------------------------- # TAG: connect_timeout (in seconds) # Some systems (notably Linux) can not be relied upon to properly # time out connect(2) requests. Therefore the squid process # enforces its own timeout on server connections. This parameter # specifies how long to wait for the connect to complete. The # default is two minutes (120 seconds). # #connect_timeout 120 connect_timeout 120 # TAG: read_timeout (in minutes) # An active connection will be aborted after read_timeout minutes # of no activity on that connection (i.e., assume the remote server # or network connection died after the connection was established). # The default is 15 minutes. # #read_timeout 15 # TAG: client_lifetime (in minutes) # The maximum amount of time that a client (browser) is allowed to # remain connected to the cache process. This protects the Cache # from having alot of sockets (and hence file descriptors) tied up # in a CLOSE_WAIT state from remote clients that go away without # properly shutting down (either because of a network failure or # because of a poor client implementation). The default is three # hours, 20 minutes. # # NOTE: The default value is designed with low-speed client # connections in mind. 200 minutes should be plenty of time to # transfer a 10M file at 1k/sec. If you have high-speed client # connectivity, or occasionally run out of file descriptors, # we suggest you lower this value appropriately. # #client_lifetime 200 client_lifetime 120 # TAG: shutdown_lifetime (in seconds) # # When SIGTERM or SIGHUP is received, the cache is put into # "shutdown pending" mode until all active sockets are closed. # This value is the lifetime to set for all open descriptors # during shutdown mode. Any active clients after this many # seconds will receive a 'lifetime expire' message # shutdown_lifetime 30 # TAG: clean_rate (in minutes) # How often to force a full garbage collection. Garbage collection # involves checking the expire time of every object in the cache. # # NOTE: this option is provided only for backwards compatibility. # We recommend that you leave it disabled (i.e. set to -1). Expired # objects are removed from the cache little by little as a part of # its normal operations. # #clean_rate -1 # ACCESS CONTROLS #----------------------------------------------------------------------------- # Defining an Access List # # acl aclname acltype string1 ... # acl aclname acltype "file" ... # # when using "file", the file should contain one item per line # # acltype is one of src dst srcdomain dstdomain url_pattern urlpath_pattern # time port proto method browser user # # acl aclname src ip-address/netmask ... (clients IP address) # acl aclname src addr1-addr2/netmask ... (range of addresses) # acl aclname dst ip-address/netmask ... (URL host's IP address) # acl aclname srcdomain foo.com ... (taken from reverse DNS lookup) # acl aclname dstdomain foo.com ... (taken from the URL) # acl aclname time [day-abbrevs] [h1:m1-h2:m2] # day-abbrevs: # S - Sunday # M - Monday # T - Tuesday # W - Wednesday # H - Thursday # F - Friday # A - Saturday # h1:m1 must be less than h2:m2 # acl aclname url_regex ^http:// ... # regex matching on whole URL # acl aclname urlpath_regex \.gif$ ... # regex matching on URL path only # acl aclname port 80 70 21 ... # acl aclname proto HTTP FTP ... # acl aclname method GET POST ... # acl aclname browser regexp # acl aclname user username ... # string match on ident output. # # use REQUIRED to accept any # # non-null ident. acl manager proto cache_object acl localhost src 127.0.0.1 163.28.112.101 acl all src 0.0.0.0/0.0.0.0 acl SSL_ports port 443 563 acl CONNECT method CONNECT acl PURGE method purge ########################## from MOE mail messages ########################## # ¦b cache_host_acl °Ï # 1.³]©w¬°¤U´åªº parent # acl validip src ²Ä¤T¼h proxy ip ¤Î³s±µ¦Ü¶Q°Ïºô¤¤¤ßªº ip # http_access allow validip # http_access deny !validip # icp_access allow validip # icp_access deny !validip # miss_access allow validip # miss_access deny !validip ############################################################################ # define packets go inside taiwan/tanet/ncku/com acl twdn dstdomain tw twnic.net hinet.net acer.net wownet.net seeder.net silkera.net neto.net timenet.net tw.aunet.net pamud.net acl twip dst 163.28.0.0/16 140.96.0.0/11 140.128.0.0/12 140.92.0.0 139.175.0.0/16 139.223.0.0/16 163.12.0.0/14 163.16.0.0/14 168.95.0.0/16 192.72.0.0/16 192.83.160.0/19 192.83.192.0/22 192.192.0.0/16 202.39.0.0/16 202.132.128.0/17 202.145.224.0/19 203.64.0.0/12 210.64.0.0/13 210.60.0.0/14 210.71.0.0/17 acl tanetdn dstdomain edu.tw acl tanetip dst 163.28.0.0/16 140.96.0.0/11 140.128.0.0/12 140.92.0.0 163.12.0.0/14 163.16.0.0/14 192.83.160.0/19 192.83.192.0/22 192.192.0.0 203.64.0.0 203.68.0.0 203.71.0.0 203.72.0.0 210.70.0.0 acl nckudn dstdomain ncku.edu.tw acl nckuip dst 140.116.0.0/16 163.28.112.0/24 163.28.113.0/24 163.28.114.0/24 163.28.115.0/24 163.28.116.0/24 163.28.117.0/24 acl com dstdomain com com.tw # define packets come from seednet/hinet/tanet/ncku acl seednet src 139.175.0.0 139.223.0.0 192.72.0.0 202.132.128.0/17 202.145.224.0/19 203.67.0.0 203.70.0.0 203.73.0.0 203.77.0.0 203.79.0.0/19 210.64.0.0 210.66.0.0/15 210.68.0.0 acl hinet src 168.95.0.0 202.39.0.0 203.65.0.0 203.66.0.0 203.69.0.0 203.74.0.0 203.75.0.0 210.65.0.0 210.69.0.0 210.71.0.0 acl tanet src 163.28.0.0/16 140.96.0.0/11 140.128.0.0/12 140.92.0.0 163.12.0.0/14 163.16.0.0/14 192.83.160.0/19 192.83.192.0/22 192.192.0.0 203.64.0.0 203.68.0.0 203.71.0.0 203.72.0.0 210.70.0.0 acl ncku src 140.116.0.0/16 163.28.112.0/24 163.28.113.0/24 163.28.114.0/24 163.28.115.0/24 163.28.116.0/24 163.28.117.0/24 # defien packets come from ncku level3 proxy acl level3 src 163.28.112.100 140.116.72.72 140.116.49.1 140.116.36.40 140.116.36.214 140.116.66.41 140.116.42.128 140.116.0.0 140.116.248.1 140.116.248.2 140.116.248.3 140.116.248.4 140.116.248.5 140.116.248.6 #define packets come from other level2 proxy acl proxynet src 163.28.0.0/16 # define packets come from tainan-area proxy # 192.192.31.7 ±X¤s§Þ³N¾Ç°| # 163.26.220.5 163.26.227.11 «n»O§Þ³N¾Ç°| # 203.64.21.119 ªøºa°ª¤¤ # 192.192.3.3 ¥x«n¤k¤l§Þ³N¾Ç°| # 210.59.20.1 ·O¥®°ª¤u # 203.68.74.32 ·sÀç°ª¤u # 192.192.97.3 ¥x«n®v°|¬ # 203.71.52.1 ¥x«nÃÀ³N¾Ç°| # 210.70.111.3 Ãs®ü¤¤¾Ç # 203.68.23.5 ¥x«n¥Õªe°ª°Ó # 203.68.23.1 ¥x«n¥Õªe°ª°Ó # 203.71.96.3 ¥x«n¤k¤¤ # 203.71.115.100 ¥x«nªøºaºÞ²z¾Ç°| # 192.192.205.250 «nºa¤u°Ó±M # 210.60.2.3 «á¥Ò°ê¤¤ # 210.71.127.5 &w°ê¤¤ # 210.70.121.5 ¤jÆW¤¤¾Ç acl tainannet src 192.192.31.7 163.26.220.5 203.64.21.119 192.192.3.3 210.59.20.1 203.68.74.32 192.192.97.3 203.71.52.1 210.70.111.3 203.68.23.5 203.71.96.3 203.71.115.100 192.192.205.250 203.68.23.1 163.26.227.11 210.60.2.3 192.192.170.61 210.71.127.5 210.70.121.5 # define packets come from seednet/hinet/tanet/ncku acl seednet src 139.175.0.0 139.223.0.0 192.72.0.0 202.132.128.0/17 202.145.224.0/19 203.67.0.0 203.70.0.0 203.73.0.0 203.77.0.0 203.79.0.0/19 210.64.0.0 210.66.0.0/15 210.68.0.0 acl hinet src 168.95.0.0 202.39.0.0 203.65.0.0 203.66.0.0 203.69.0.0 203.74.0.0 203.75.0.0 210.65.0.0 210.69.0.0 210.71.0.0 acl tanet src 163.28.0.0/16 140.96.0.0/11 140.128.0.0/12 140.92.0.0 163.12.0.0/14 163.16.0.0/14 192.83.160.0/19 192.83.192.0/22 192.192.0.0 203.64.0.0 203.68.0.0 203.71.0.0 203.72.0.0 210.70.0.0 acl ncku src 140.116.0.0/16 163.28.112.0/24 163.28.113.0/24 163.28.114.0/24 163.28.115.0/24 163.28.116.0/24 163.28.117.0/24 ########################################################################## # Allowing or Denying access based on defined access lists # # Access to the HTTP port: # http_access allow|deny [!]aclname ... # # Access to the ICP port: # icp_access allow|deny [!]aclname ... # Only allow access to the cache manager functions from the local host. http_access allow manager localhost http_access allow manager level3 http_access deny manager all http_access deny CONNECT !SSL_ports # Allow localhost purge objects http_access allow purge localhost http_access deny purge all # Allow everything else for ncku http_access allow level3 http_access allow proxynet http_access allow tainannet http_access deny all # Reply to all ICP queries we receive icp_access allow level3 icp_access allow proxynet icp_access allow tainannet icp_access deny all # TAG: miss_access # Use to force your neighbors to use you as a sibling instead of # a parent. For example: # # acl localclients src 172.16.0.0/16 # miss_access allow localclients # miss_access deny !localclients # # This means that only your local clients are allowed to fetch # MISSES and all other clients can only fetch HITS. # # By default, allow all clients who passed the http_access rules # to fetch MISSES from us. # miss_access allow level3 miss_access allow tainannet miss_access allow proxynet miss_access deny all ########################################################################## # TAG: cache_host_acl # Just like 'cache_host_domain' but provides more flexibility by # using ACL's. # # cache_host_acl cache-host [!]aclname ... # # NOTE: * Any number of ACL's may be given for a cache-host, # either on the same or separate lines. # * When multiple ACL's are given for a particular # cache-host, the first matched ACL is applied. # * Cache hosts with no domain or ACL restrictions are # queried for all requests. # * There are no defaults. # only fetch data ouside taiwan from parent: proxy.edu.tw & twcache.sinica.edu.tw cache_host_acl proxy.edu.tw !twdn !twip #cache_host_acl twcache.sinica.edu.tw !twdn !twip # only fetch data ouside taiwan from siberling :..... cache_host_acl ccproxy1.nsysu.edu.tw !twdn !twip cache_host_acl ccproxy2.nsysu.edu.tw !twdn !twip cache_host_acl proxy.ccu.edu.tw !twdn !twip cache_host_acl w3-gate.nctu.edu.tw !twdn !twip com cache_host_acl w3-gate2.nctu.edu.tw !twdn !twip !com #cache_host_acl www.twnic.net !twdn !twip #cache_host_acl proxytest.ncu.edu.tw !twdn !twip #cache_host_acl proxy.nthu.edu.tw !twdn !twip #cache_host_acl cache.nchu.edu.tw !twdn !twip #cache_host_acl cache.ccu.edu.tw !twdn !twip #cache_host_acl harp06.nchc.gov.tw !twdn !twip # ADMINISTRATIVE PARAMETERS #----------------------------------------------------------------------------- # TAG: cache_mgr # Email-address of local cache manager who will receive # mail if the cache dies. The default is "webmaster." # #cache_mgr webmaster cache_mgr squidadm@gate.ncku.edu.tw # TAG: cache_effective_user # If the cache is run as root, it will change its effective/real # UID/GID to the UID/GID specified below. The default is not to # change UID/GID. # #cache_effective_user nobody nogroup # TAG: visible_hostname # If you want to present a special hostname in error messages, etc, # then define this. Otherwise, the return value of gethostname() # will be used. # visible_hostname gate.ncku.edu.tw # OPTIONS FOR THE CACHE REGISTRATION SERVICE #----------------------------------------------------------------------------- # This section contains parameters for the (optional) cache # announcement service. This service is provided to help # cache administrators locate one another in order to join or # create cache hierarchies. # # An 'announcement' message is sent (via UDP) to the registration # service by Squid. By default, the annoucement message is NOT # SENT unless you enable it with 'cache_announce' below. # # The announcement message includes your hostname, plus the # following information from this configuration file: # # http_port # icp_port # cache_mgr # # All current information is processed regularly and made # available on the Web at http://www.nlanr.net/Cache/Tracker/. # This is how frequently to send cache announcements. The default # is `0' which disables sending the announcement messages. # # To enable announcing your cache, just uncomment the line below. # cache_announce 24 # This is the hostname and portnumber where the registration message # will be sent. # # Format: announce_to host[:port] [filename] # # Hostname will default to 'sd.cache.nlanr.net' and port will default # to 3131. If the 'filename' argument is given, the contents of that # file will be included in the announce message. # announce_to sd.cache.nlanr.net:3131 # HTTPD-ACCELERATOR OPTIONS #----------------------------------------------------------------------------- # TAG: httpd_accel # If you want to run squid as an httpd accelerator, define the # host name and port number where the real HTTP server is. # # If you want virtual host support then specify the hostname # as "virtual". # #httpd_accel real_httpd_host real_httpd_port # TAG: httpd_accel_with_proxy # If you want to use squid as both a local httpd accelerator # and as a proxy, change this to 'on'. # #httpd_accel_with_proxy off # TAG: httpd_accel_uses_host_header # HTTP/1.1 requests include a Host: header which is basically the # hostname from the URL. Squid can be an accelerator for # different HTTP servers by looking at this header. However, # Squid does NOT check the value of the Host header, so it opens # a big security hole. We recommend that this option remain # disabled unless you are sure of what you are doing. # #httpd_accel_uses_host_header off # TAG: logfile_rotate # # Specifies the number of logfile rotations to make upon receiving # a USR1 signal. The default is 10, which will rotate with # extensions 0 through 9. Setting logfile_rotate to 0 will # disable the rotation, but the logfiles are still closed and # re-opened. This will enable you to rename the logfiles yourself # just before sending a USR1 signal to the squid process. # logfile_rotate 3