Difference between revisions of "SafeSquid Startup Parameters"

From Secure Web Gateway
en>Santosh.thorat
 
m (1 revision imported: Importing all pages)
 

Latest revision as of 15:36, 24 July 2021

Overview

SafeSquid loads default configuration/startup parameters from startup.ini file. You can modify the startup parameters values from SafeSquid GUI. Modified values of startup parameters are stored in /opt/safesquid/startup.ini file.
SafeSquid loads default setup parameters from setup.ini file. To modify setup parameters you should take copy of setup.ini file and store it as /opt/safesquid/setup.ini before editing it manually.

Field Explanation
LISTEN_IP A proxy server acts as an intermediate/bridge between the internet and user's computer. The socket on which SafeSquid should bind, and then serve is LISTEN_IP. LISTEN_IP is IP address which listens for incoming TCP connections. Default value for LISTEN_IP is "*" which allows SafeSquid to bind the instance to more than one IP address.
LISTEN_PORT LISTEN_PORT is an HTTP port that will listen for all incoming requests in SafeSquid proxy. SafeSquid instance binds on LISTEN_IP:LISTEN_PORT and serves the request. Default value for LISTEN_PORT is 8080.
MASTER_IP MASTER_IP is an IP address of a Master server in a Master-Slave settings/configuration. Master-Slave settings/configuration is generally used to ensure automatic synchronization of policies among various clustered services, or even remote proxy servers. SafeSquid can be invoked as Slave, and can be configured to synchronize and fetch configuration parameters and policies from a remote linux based SafeSquid Master server. Safesquid  can be invoked as Slave, and can be configured to fetch configuration parameters from a remote SafeSquid server. This mode of operation becomes automatically effective if the MASTER_IP and MASTER_PORT of the Master service is specified. SafeSquid MASTER_IP can be FQDN/IP_ADDRESS, on which Master SafeSquid Server is listening, to synchronize configuration from the Master Server. Default value for MASTER_IP is "" which is for standalone proxy service.
MASTER_PORT MASTER_PORT is an HTTP port that along with MASTER_IP is used for Master-Slave settings/configuration. Default value for MASTER_PORT is "". For standalone proxy service always keep MASTER_IP and MASTER_PORT to blank.
SEND_SOCKET_BUFFERS The SafeSquid throughput can be boosted by TCP tuning of the socket buffers. Each network socket is allocated a send buffer for outbound packets and a receive socket for inbound packets. SEND_SOCKET_BUFFERS is used for tuning the outbound data buffer. The outbound data buffer is for client->SafeSquid->Webserver. Default value for SEND_SOCKET_BUFFERS is 131072.
RECEIVE_SOCKET_BUFFERS The SafeSquid throughput can be boosted by TCP tuning of the socket buffers. Each network socket is allocated a send buffer for outbound packets and a receive socket for inbound packets. RECEIVE_SOCKET_BUFFERS is used for tuning the inbound data buffer. The inbound data buffer is for Webserver->SafeSquid->client. Default value for RECEIVE_SOCKET_BUFFERS is 131072.
TCP_KEEPIDLE_TIME TCP_KEEPIDLE_TIME is the time (in seconds) to keep an idle TCP connection active. This parameter is used and can be modified to tune the overall stability and system resource utilisation of SafeSquid. Default value for TCP_KEEPIDLE_TIME is 900.
TCP_KEEPINTVL_TIME TCP_KEEPINTVL_TIME is the interval between packets sent to validate the TCP connection. This parameter is used and can be modified to tune the overall stability and system resource utilisation of SafeSquid. Default value for TCP_KEEPINTVL_TIME is 75.
TCP_KEEPCNT_COUNTS TCP_KEEPCNT_COUNTS is the number of keepalive probes to be sent before terminating the connection. This parameter is used and can be modified to tune the overall stability and system resource utilisation of SafeSquid. Default value for TCP_KEEPCNT_COUNTS is 9.
PASSWORD_CACHE_SIZE SafeSquid provides an excellent Password Caching feature which is used to reduce the latency when authentication is desired from a remote authentication system. Password Caching also tremendously reduces the communication overheads. PASSWORD_CACHE_SIZE is the maximum number of password cache entries stored in memory. Default value for PASSWORD_CACHE_SIZE is 8111.
PASSWORD_CACHE_EXPIRE_TIME PASSWORD_CACHE_EXPIRE_TIME is the time (in seconds) to keep the password cache entries in memory and clean the entry after expiry time. Default value for PASSWORD_CACHE_EXPIRE_TIME is 3600 seconds.
NEVER_SYNC The SafeSquid service when invoked as SLAVE fetch policies from a remote Linux / Windows based SafeSquid server acknowledged as MASTER. These policies are configured in various sections of SafeSquid. You can specify the sections name in comma separated format that need not be fetched from Master instance for synchronization. Default value for NEVER_SYNC is "cache" which indicates that caching section should never be synchronized. Since each SafeSquid service instance has its own set of cached objects which are strictly encoded and decoded with individual activation key.
Note: Synchronization process works only if MASTER_IP and MASTER_PORT are specified.
ALWAYS_SYNC The SafeSquid service when invoked as SLAVE fetch policies from a remote Linux / Windows based SafeSquid server acknowledged as MASTER. These policies are configured in various sections of SafeSquid. You can specify the sections name in comma separated format that should be fetched from Master instance for synchronization. Default value for ALWAYS_SYNC is "".
Note: Synchronization process works only if MASTER_IP and MASTER_PORT are specified.
LOG_SIZE_LIMIT LOG_SIZE_LIMIT is size (in bytes) which specify the maximum size of any log file, after which the SafeSquid do the log-rotation activity. Default value for LOG_SIZE_LIMIT is 524288000 in bytes.
SYNCTIME SYNCTIME is the time (in seconds) after which the slave server will get synchronized with Master server by fetching policy configuration. Default value for SYNCTIME is 99 seconds.
Note: Synchronization process works only if MASTER_IP and MASTER_PORT are specified. Leave this blank if you are setting up a standalone Proxy Service.
LOG_LEVEL LOG_LEVEL is the numerical value which determines the details that will be logged in the log file, like REQUESTS, SECURITY, REDIRECT etc. This parameter affects only the SafeSquid Native Log. You can control the verbosity of the Native log with this parameter. Selecting too many options could effect the size of the log file. Default value for LOG_LEVEL is 134217727.
Note: For debugging set 268435455. ADVICE-0; REQUEST-1; NETWORK-2; LDAP-4; HEADER-8; INTERFACE-16; COOKIE-32; REDIRECT-64; TEMPLATE-128; TEXT_ANALYZER-256; REWRITE-512; LIMITS-1024; CACHE-2048; PREFETCH-4096; ICP-8192; FORWARD-16384; SYNC-32768; ANTIVIRUS-65536; EXTERNAL-131072; ICAP-262144; SSL-524288; CATEGORY-1048576; URLCOMMAND-2097152; MODULE-4194304; SECURITY-8388608; WARN-16777216; ERROR-33554432; PROFILES-67108864; DEBUG-134217728;
PROCESS_OLD_LOGS PROCESS_OLD_LOGS is the numeric value which specify the activity to be done during Log Rotation. When log file exceeds the LOG_SIZE_LIMIT SafeSquid executes the Log Rotation process. If PROCESS_OLD_LOGS value is set to 0 then SafeSquid will just open a new log file and just delete the earlier file. If PROCESS_OLD_LOGS value is set to 1 then SafeSquid will just open a new log file and compress the earlier file with the current time-stamp. If PROCESS_OLD_LOGS value is set other than 0 and 1 then SafeSquid will just open a new log file and rename the earlier file with the current time-stamp. Default value for PROCESS_OLD_LOGS is 1.
STACKSIZE STACKSIZE is the numeric value defined for a stack size of a thread created by a SafeSquid. If STACKSIZE is specified as 20 here, then the SafeSquid executable will set thread stack size to 220 i.e. 1024Kb. For optimum use of memory this value should be a multiple of pagesize. Default value for STACKSIZE is 21.
MALLOC_CHECKING This feature is not yet described.
OVERLOAD_FACTOR OVERLOAD_FACTOR is numeric value used to dynamically control the number of connections held in the client pool. OVERLOAD_FACTOR along with MAXTHREADS strengthen SafeSquid's capability to deal with DDoS attacks, or even when such conditions get developed unintentionally. Default value for OVERLOAD_FACTOR is 10.
SOCKET_TIMEOUT SOCKET_TIMEOUT is the minimum time (in seconds) a socket handle will monitored by safesquid, for a consecutive incoming request on an established connection. If the client side application supports pipelining the subsequent request will be handled with nearly zero latency. SafeSquid will additionally check for a socket's availability for 10 times the socket_timeout, before considering it to be a dead socket. Default value for SOCKET_TIMEOUT is 6 seconds.
THREAD_TIMEOUT SafeSquid can use the same thread to handle consecutive connections. THREAD_TIMEOUT is the minimum time (in seconds) a thread is kept alive after serving a request, and can serve a new request immediately after serving the first request. Keeping a higher Thread_timeout reserves virtual memory for a longer period, but reduces the CPU overheads involved in creation of a new thread. Keeping a lower Thread_Timeout releases virtual memory faster and may be beneficial if the environment requires a large number of concurrent threads, while conserving virtual memory. Default value for THREAD_TIMEOUT is 10 seconds.
HOSTNAME HOSTNAME is your SafeSquid server hostname, the name by which the proxy's host or service name is referred. HOSTNAME is also used as the [realm] parameter for the authentication process. HOSTNAME can be configured even in the General Section of SafeSquid's run-time configuration. HOSTNAME can be set to the IP address if you intend to manage SafeSquid without setting it as your browser's proxy server.
Note: If you intend this instance to be a part of load-balanced clustered service, then ensure each instance participating in the cluster has a common HOSTNAME. Default value for HOSTNAME is "".
DOMAIN DOMAIN is Domain Name for SafeSquid server. A domain name represents an Internet Protocol(IP) resource, such as a personal computer used to access the Internet, a server computer hosting a web site, or the web site itself or any other service communicated via the Internet. Default value for DOMAIN is "".
MAXTHREADS MAXTHREADS is a numeric value to define maximum number of concurent threads, SafeSquid will open. SafeSquid has a multi-threaded architecture. Each Request is served by a thread and handles are required to use resources. MAXTHREADS is specified as maximum concurent requests that may be handled in multi-threaded architecture. Default value for MAXTHREADS is 8192.
MAX_FDS MAX_FDS is numeric value to define maximum number of handles that can be used to access file(s) or other input/output resource, such as a pipe or network socket. SafeSquid limits the maximum number of handles, to preserve system stability. Default value for MAX_FDS is 32768.
Note: MAX_FDS should be set to 4 times of MAXTHREADS.
EXTENDED_UDP_IP EXTENDED_UDP_IP is UDP IP to write extended logs on UDP server. SafeSquid will write extended logs on UDP server using UDP sockets when both EXTENDED_UDP_IP and EXTENDED_UDP_PORT mentioned. Default value for EXTENDED_UDP_IP is "".
EXTENDED_UDP_PORT EXTENDED_UDP_PORT is UDP port to write extended logs on UDP server. SafeSquid will write extended logs on UDP server using UDP sockets when both EXTENDED_UDP_IP and EXTENDED_UDP_PORT mentioned. Default value for EXTENDED_UDP_PORT is "".
NATIVE_UDP_IP NATIVE_UDP_IP is UDP IP to write native logs on UDP server. SafeSquid will write native logs on UDP server using UDP sockets when both NATIVE_UDP_IP and NATIVE_UDP_PORT mentioned. Default value for NATIVE_UDP_IP is "".
NATIVE_UDP_PORT NATIVE_UDP_PORT is UDP port to write native logs on UDP server. SafeSquid will write native logs on UDP server using UDP sockets when both NATIVE_UDP_IP and NATIVE_UDP_PORT mentioned. Default value for NATIVE_UDP_PORT is "".
CONFIG_UDP_IP CONFIG_UDP_IP is UDP IP to write config logs on UDP server. SafeSquid will write config logs on UDP server using UDP sockets when both CONFIG_UDP_IP and CONFIG_UDP_PORT mentioned. Default value for CONFIG_UDP_IP is "".
CONFIG_UDP_PORT CONFIG_UDP_PORT is UDP port to write config logs on UDP server. SafeSquid will write config logs on UDP server using UDP sockets when both CONFIG_UDP_IP and CONFIG_UDP_PORT mentioned. Default value for CONFIG_UDP_PORT is "".
REAL_TIME_DB_WRITE REAL_TIME_DB_WRITE is numeric value to determine whether SafeSquid logs should be written in database or not. If REAL_TIME_DB_WRITE is set to 1 then real time logs will be written in Sqlite database. If REAL_TIME_DB_WRITE is set to 0 then real time logs will not be written in Sqlite database. Default value for REAL_TIME_DB_WRITE is 1.
STATEMENT_COUNT SafeSquid uses STATEMENT_COUNT parameter to optimize writing into Sqlite database. STATEMENT_COUNT is maximum number of log lines written into sqlite database in one transaction. Default value of STATEMENT_COUNT is 100.

 

Note: You can tune up the SafeSquid for better results. You can modify Startup Parameters to obtain better performance by tweaking up the overall system & application tuning. Quite a few users have experienced difficulties due to lack of understanding of SafeSquid's configuration, and possibly due to insufficient documentation on the subject.