records.config¶

The total number of client and origin server connections that the server can handle simultaneously. This is in fact the max number of file descriptors that the traffic_server process can have open at any given time. Roughly 10% of these connections are reserved for origin server connections, i.e. from the default, only ~9,000 client connections can be handled. This should be tuned according to your memory size, and expected work load.

Controls the global default IP addresses to which to bind proxy server ports. The value is a space separated list of IP addresses, one per supported IP address family (currently IPv4 and IPv6).

This controls the global default for the local IP address for outbound connections to origin servers. The value is a list of space separated IP addresses, one per supported IP address family (currently IPv4 and IPv6).

Unless explicitly specified in proxy.config.http.server_ports one of these addresses, selected by IP address family, will be used as the local address for outbound connections. This setting is useful if most or all of the server ports should use the same outbound IP addresses.

Sets the clustering mode:

The reliable service port. The reliable service port is used to send configuration information between the nodes in a cluster. All nodes in a cluster must use the same reliable service port.

The number of threads for cluster communication. On heavy cluster, the number should be adjusted. It is recommend that take the thread CPU usage as a reference when adjusting.

Set the interface to use for cluster communications.

This turns on the local caching of objects in cluster mode. The point of this is to allow for popular or hot content to be cached on all nodes in a cluster. Be aware that the primary way to configure this behavior is via the cache.config configuration file using action=cluster-cache-local directives.

This particular records.config configuration can be controlled per transaction or per remap rule. As such, it augments the cache.config directives, since you can turn on the local caching feature without complex regular expression matching.

This implies that turning this on in your global records.config is almost never what you want; instead, you want to use this either via e.g. conf_remap.so overrides for a certain remap rule, or through a custom plugin using the appropriate APIs.

The semaphore ID for the local manager.

The autoconfiguration port.

The maximum number of copies of rolled configuration files to keep.

Option used to specify who to run the traffic_server process as; also used to specify ownership of config and log files.

The port used for internal communication between the traffic_manager and traffic_server processes.

The address to which the alarm script should send email.

Name of the script file that can execute certain actions when an alarm is signaled. The script is invoked with up to 4 arguments:

• the alarm message
• the value of proxy.config.product_name
• the value of proxy.config.admin.user_id
• the value of proxy.config.alarm_email

The absolute path to the directory containing the alarm script. If this is not set, the script will be located relative to proxy.config.bin_path.

The number of seconds that Traffic Server allows the alarm script to run before aborting it.

Ports used for proxying HTTP traffic.

The range of origin server ports that can be used for tunneling via CONNECT.

Set how the Via field is handled on a request to the origin server.

Set how the Via field is handled on the response to the client.

You can specify one of the following:

• 0 no Server: header is added to the response.
• 1 the Server: header is added (see string below).
• 2 the Server: header is added only if the response from rigin does not have one already.

This option specifies whether Traffic Server should insert an Age header in the response. The Age field value is the cache’s estimate of the amount of time since the response was generated or revalidated by the origin server.

• 0 no Age header is added
• 1 the Age header is added

The Server: string that ATS will insert in a response header (if requested, see above). Note that the current version number is always appended to this string.

Enables (1) or disables (0) .com domain expansion. This configures the Traffic Server to resolve unqualified hostnames by prepending with www. and appending with .com before redirecting to the expanded address. For example: if a client makes a request to host, then Traffic Server redirects the request to www.host.com.

Specifies whether Traffic Sever can generate a chunked response:

• 0 Never
• 1 Always
• 2 Generate a chunked response if the server has returned HTTP/1.1 before
• 3 = Generate a chunked response if the client request is HTTP/1.1 and the origin server has returned HTTP/1.1 before

Enables (1) or disables (0) the reuse of server sessions. The default (2) is similar to enabled, except it creates a server session pool per network thread. This has the best performance characteristics.

Enable and set the ability to re-use server connections across client connections. The valid values are

none

Do not match, do not re-use server sessions.

ip

Re-use server sessions, check only that the IP address and port of the origin server matches.

host

Re-use server sessions, check only that the fully qualified domain name matches.

both

Re-use server sessions, but only if the IP address and fully qualified domain name match.

It is strongly recommended to use either none or both for this value unless you have a specific need to use ip or host. The most common reason is virtual hosts that share an IP address in which case performance can be enhanced if those sessions can be re-used. However, not all web servers support requests for different virtual hosts on the same connection so use with caution.

Control the scope of server session re-use if it is enabled by proxy.config.http.server_session_sharing.match. The valid values are

global

Re-use sessions from a global pool of all server sessions.

thread

Re-use sessions from a per-thread pool.

Enables (1) or disables (0) traffic_cop heartbeat logging.

For fully transparent ports use the same origin server address as the client.

Enables (1) or disables (0) incoming keep-alive connections.

Enables (1) or disables (0) outgoing keep-alive connections.

Controls wether new POST requests re-use keep-alive sessions (1) or create new connections per request (0).

Enables (1) or disables (0) the parent caching option. Refer to Hierarchical Caching.

The amount of time allowed between connection retries to a parent cache that is unavailable.

The number of times the connection to the parent cache can fail before Traffic Server considers the parent unavailable.

The total number of connection attempts allowed to a parent cache before Traffic Server bypasses the parent or fails the request (depending on the go_direct option in the parent.config file).

The total number of connection attempts allowed per parent, if multiple parents are used.

The timeout value (in seconds) for parent cache connection attempts.

Configures Traffic Server to send proxy authentication headers on to the parent cache.

Don’t try to resolve DNS, forward all DNS requests to the parent. This is off (0) by default.

Specifies how long Traffic Server keeps connections to clients open for a subsequent request after a transaction ends. A value of 0 will disable the no activity timeout.

Specifies how long Traffic Server keeps connections to origin servers open for a subsequent transfer of data after a transaction ends. A value of 0 will disable the no activity timeout.

Specifies how long Traffic Server keeps connections to clients open if a transaction stalls.

Specifies how long Traffic Server keeps connections to origin servers open if the transaction stalls.

The maximum amount of time Traffic Server can remain connected to a client. If the transfer to the client is not complete before this timeout expires, then Traffic Server closes the connection.

The maximum amount of time Traffic Server waits for fulfillment of a connection request to an origin server. If Traffic Server does not complete the transfer to the origin server before this timeout expires, then Traffic Server terminates the connection request.

The timeout interval in seconds before Traffic Server closes a connection that has no activity.

Specifies how long Traffic Server continues a background fill before giving up and dropping the origin server connection.

The proportion of total document size already transferred when a client aborts at which the proxy continues fetching the document from the origin server to get it into the cache (a background fill).

The maximum number of connection retries Traffic Server can make when the origin server is not responding.

The maximum number of connection retries Traffic Server can make when the origin server is unavailable.

Limits the number of socket connections across all origin servers to the value specified. To disable, set to zero (0).

Limits the number of socket connections per origin server to the value specified. To enable, set to one (1).

As connection to an origin server are opened, keep at least ‘n’ number of connections open to that origin, even if the connection isn’t used for a long time period. Useful when the origin supports keep-alive, removing the time needed to set up a new connection from the next request at the expense of added (inactive) connections. To enable, set to one (1).

The maximum number of failed connection attempts allowed before a round-robin entry is marked as ‘down’ if a server has round-robin DNS entries.

The timeout value (in seconds) for an origin server connection.

The timeout value (in seconds) for an origin server connection when the client request is a POST or PUT request.

Specifies how long (in seconds) Traffic Server remembers that an origin server was unreachable.

The number of seconds before Traffic Server marks an origin server as unavailable after a client abandons a request because the origin server was too slow in sending the response header.

When enabled (1), Traffic Server bypasses the parent proxy for a request that is not cacheable.

Enables (1) or disables (0) the Congestion Control option, which configures Traffic Server to stop forwarding HTTP requests to origin servers when they become congested. Traffic Server sends the client a message to retry the congested origin server later. Refer to Using Congestion Control.

Transaction buffering / flow control is enabled if this is set to a non-zero value. Otherwise no flow control is done.

The high water mark for transaction buffer control. External source I/O is halted when the total buffer space in use by the transaction exceeds this value.

The low water mark for transaction buffer control. External source I/O is resumed when the total buffer space in use by the transaction is no more than this value.

When enabled (1), Traffic Server caches negative responses (such as 404 Not Found) when a requested page does not exist. The next time a client requests the same page, Traffic Server serves the negative response directly from cache. When disabled (0) Traffic Server will only cache the response if the response has Cache-Control headers.

204  No Content
305  Use Proxy
400  Bad Request
403  Forbidden
404  Not Found
405  Method Not Allowed
500  Internal Server Error
501  Not Implemented
502  Bad Gateway
503  Service Unavailable
504  Gateway Timeout

The cache lifetime for objects cached from this setting is controlled via proxy.config.http.negative_caching_lifetime.

How long (in seconds) Traffic Server keeps the negative responses valid in cache. This value only affects negative responses that do have explicit Expires: or Cache-Control: lifetimes set by the server.

When enabled (1), Traffic Server removes the From header to protect the privacy of your users.

When enabled (1), Traffic Server removes the Referrer header to protect the privacy of your site and users.

When enabled (1), Traffic Server removes the User-agent header to protect the privacy of your site and users.

When enabled (1), Traffic Server removes the Cookie header to protect the privacy of your site and users.

When enabled (1), Traffic Server removes Client-IP headers for more privacy.

When enabled (1), Traffic Server inserts Client-IP headers to retain the client IP address.

Comma separated list of headers Traffic Server should remove from outgoing requests.

When enabled (1), Traffic Server adds the client IP address to the X-Forwarded-For header.

Enable (1) to normalize all Accept-Encoding: headers to one of the following:

• Accept-Encoding: gzip (if the header has gzip or x-gzip with any q) OR
• blank (for any header that does not include gzip)

This is useful for minimizing cached alternates of documents (e.g. gzip, deflate vs. deflate, gzip). Enabling this option is recommended if your origin servers use no encodings other than gzip.

Enables (1) or disables (0) the HTTP PUSH option, which allows you to deliver content directly to the cache without a user request.

Enables (1) or disables (0) ability to a read cached object while the another connection is completing the write to cache for the same object. Several other configuration values need to be set for this to become active. See Reducing Origin Server Requests (Avoiding the Thundering Herd)

Forces the use of a specific hardware sector size (512 - 8192 bytes).

Enables (1) or disables (0) caching of HTTP requests.

Enables (1) or disables (0) caching objects that have an empty response body. This is particularly useful for caching 301 or 302 responses with a Location header but no document body. This only works if the origin response also has a Content-Length header.

When enabled (1), Traffic Server ignores client requests to bypass the cache.

When enabled (1), Traffic Server issues a conditional request to the origin server if an incoming request has a No-Cache header.

When enabled (1), Traffic Server ignores origin server requests to bypass the cache.

Specifies how cookies are cached:

• 0 = do not cache any responses to cookies
• 1 = cache for any content-type
• 2 = cache only for image types
• 3 = cache for all but text content-types

When enabled (1), Traffic Server ignores WWW-Authentication headers in responses WWW-Authentication headers are removed and not cached.

Enables (1) or disables (0) caching of URLs that look dynamic, i.e.: URLs that end in ``.asp`` or contain a question mark (``?``), a semicolon (``;``), or ``cgi``. For a full list, please refer to HttpTransact::url_looks_dynamic

Enables (1) or disables (0) caching of alternate versions of HTTP objects that do not contain the Vary header.

Specifies when to revalidate content:

• 0 = use cache directives or heuristic (the default value)

• 1 = stale if heuristic

• 2 = always stale (always revalidate)

• 3 = never stale

• 4 = use cache directives or heuristic (0) unless the request

  has an If-Modified-Since header

If the request contains the If-Modified-Since header, then Traffic Server always revalidates the cached content and uses the client’s If-Modified-Since header for the proxy request.

The type of headers required in a request for the request to be cacheable.

• 0 = no headers required to make document cacheable
• 1 = either the Last-Modified header, or an explicit lifetime header, Expires or Cache-Control: max-age, is required
• 2 = explicit lifetime is required, Expires or Cache-Control: max-age

The maximum age allowed for a stale response before it cannot be cached.

When enabled (1), Traffic Server looks up range requests in the cache.

When enabled (1), Traffic Server will attempt to write (lock) the URL to cache. This is rarely useful (at the moment), since it’ll only be able to write to cache if the origin has ignored the Range:` header. For a use case where you know the origin will respond with a full (``200) response, you can turn this on to allow it to be cached.

When enabled with a value of 1, Traffic Server serves documents from cache with a Content-Type: header even if it does not match the Accept: header of the request. If set to 2 (default), this logic only happens in the absence of a Vary header in the cached response (which is the recommended and safe use).

When enabled with a value of 1, Traffic Server serves documents from cache with a Content-Language: header even if it does not match the Accept-Language: header of the request. If set to 2 (default), this logic only happens in the absence of a Vary header in the cached response (which is the recommended and safe use).

When enabled with a value of 1, Traffic Server serves documents from cache with a Content-Encoding: header even if it does not match the Accept-Encoding: header of the request. If set to 2 (default), this logic only happens in the absence of a Vary header in the cached response (which is the recommended and safe use).

When enabled with a value of 1, Traffic Server serves documents from cache with a Content-Type: header even if it does not match the Accept-Charset: header of the request. If set to 2 (default), this logic only happens in the absence of a Vary header in the cached response (which is the recommended and safe use).

When enabled (1), Traffic Server ignores any Cache-Control: max-age headers from the client. This technically violates the HTTP RFC, but avoids a problem where a client can forcefully invalidate a cached object.

Specifies the maximum object size that will be cached. 0 is unlimited.

When enabled (1), Traffic Server will keep certain HTTP objects in the cache for a certain time as specified in cache.config.

The size of the region (as a percentage of the total content storage in a cache stripe) in front of the write cursor that constitutes a recent access hit for evacutating the accessed object.

When an object is accessed it can be marked for evacuation, that is to be copied over the write cursor and thereby preserved from being overwritten. This is done if it is no more than a specific number of bytes in front of the write cursor. The number of bytes is a percentage of the total number of bytes of content storage in the cache stripe where the object is stored and that percentage is set by this variable.

By default, the feature is off (set to 0).

Limit the size of objects that are hit evacuated.

Objects larger than the limit are not hit evacuated. A value of 0 disables the limit.

The maximum number of alternates that are allowed for any given URL. Disable by setting to 0. Note that this setting will not strictly enforce this if the variable proxy.config.cache.vary_on_user_agent is set to 1 (by default it is 0).

Sets the target size of a contiguous fragment of a file in the disk cache. Accepts values that are powers of 2, e.g. 65536, 131072, 262144, 524288, 1048576, 2097152, etc. When setting this, consider that larger numbers could waste memory on slow connections, but smaller numbers could increase (waste) seeks.

By default the RAM cache size is automatically determined, based on disk cache size; approximately 10 MB of RAM cache per GB of disk cache. Alternatively, it can be set to a fixed value such as 20GB (21474836480)

Two distinct RAM caches are supported, the default (0) being the CLFUS (Clocked Least Frequently Used by Size). As an alternative, a simpler LRU (Least Recently Used) cache is also available, by changing this configuration to 1.

Enabling this option will filter inserts into the RAM cache to ensure that they have been seen at least once. For the LRU, this provides scan resistance. Note that CLFUS already requires that a document have history before it is inserted, so for CLFUS, setting this option means that a document must be seen three times before it is added to the RAM cache.

The CLFUS RAM cache also supports an optional in-memory compression. This is not to be confused with Content-Encoding: gzip compression. The RAM cache compression is intended to try to save space in the RAM, and is not visible to the User-Agent (client).

Possible values are:

• 0 = no compression
• 1 = fastlz (extremely fast, relatively low compression)
• 2 = libz (moderate speed, reasonable compression)
• 3 = liblzma (very slow, high compression)

The minimum amount of time an HTTP object without an expiration date can remain fresh in the cache before is considered to be stale.

The maximum amount of time an HTTP object without an expiration date can remain fresh in the cache before is considered to be stale.

The aging factor for freshness computations. Traffic Server stores an object for this percentage of the time that elapsed since it last changed.

How often Traffic Server checks for an early refresh, during the period before the document stale time. The interval specified must be in seconds. See Fuzzy Revalidation

The probability that a refresh is made on a document during the specified fuzz time.

Handles requests with a TTL less than fuzz.time – it allows for different times to evaluate the probability of revalidation for small TTLs and big TTLs. Objects with small TTLs will start “rolling the revalidation dice” near the fuzz.min_time, while objects with large TTLs would start at fuzz.time. A logarithmic like function between determines the revalidation evaluation start time (which will be between fuzz.min_time and fuzz.time). As the object gets closer to expiring, the window start becomes more likely. By default this setting is not enabled, but should be enabled anytime you have objects with small TTLs. The default value is 0.

The header on which Traffic Server varies for text documents.

The header on which Traffic Server varies for images.

The header on which Traffic Server varies for anything other than text and images.

Specifies whether customizable response pages are language specific or not:

• 1 = enable customizable user response pages in the default directory only
• 2 = enable language-targeted user response pages

Enables (1) or disables (0) logging for customizable response pages. When enabled, Traffic Server records a message in the error log each time a customized response page is used or modified.

The customizable response page default directory. If this is a relative path, Traffic Server resolves it relative to the PREFIX directory.

Specifies when Traffic Server suppresses generated response pages:

• 0 = never suppress generated response pages
• 1 = always suppress generated response pages
• 2 = suppress response pages only for intercepted traffic

Enable the user interface page.

Enables (1) or disables (0) local domain expansion.

Enables (1) or disables (0) DNS server selection. When enabled, Traffic Server refers to the splitdns.config file for the selection specification. Refer to Configuring DNS Server Selection (Split DNS).

Specifies a list of hostname extensions that are automatically added to the hostname after a failed lookup. For example: if you want Traffic Server to add the hostname extension .org, then specify org as the value for this variable (Traffic Server automatically adds the dot (.)).

Allows to specify which resolv.conf file to use for finding resolvers. While the format of this file must be the same as the standard resolv.conf file, this option allows an administrator to manage the set of resolvers in an external configuration file, without affecting how the rest of the operating system uses DNS.

Enables (1) or disables (0) DNS server round-robin.

The DNS servers.

Indicates whether to use SRV records for orgin server lookup.

Create and dedicate a thread entirely for DNS processing. This is probably most useful on system which do a significant number of DNS lookups, typically forward proxies. But even on other systems, it can avoid some contention on the first worker thread (which otherwise takes on the burden of all DNS lookups).

When enabled (1) provides additional resilience against DNS forgery (for instance in DNS Injection attacks), particularly in forward or transparent proxies, but requires that the resolver populates the queries section of the response properly.

The number of seconds for which to use a stale NS record while initiating a background fetch for the new data.

If not set then stale records are not served.

The amount of space (in bytes) used to store hostdb. The value of this variable must be increased if you increase the size of the proxy.config.hostdb.size variable.

The maximum number of entries that can be stored in the database.

A host entry will eventually time out and be discarded. This variable controls how that time is calculated. A DNS request will return a TTL value and an internal value can be set with proxy.config.hostdb.timeout. This variable determines which value will be used.

Internal time to live value for host DB entries, in minutes.

See proxy.config.hostdb.ttl_mode for when this value is used.

Set host resolution to use strict round robin.

Set host resolution to use timed round robin.

Set the host resolution style.

Enables and disables event logging:

• 0 = logging disabled
• 1 = log errors only
• 2 = log transactions only
• 3 = full logging (errors + transactions)

Refer to Working with Log Files.

The maximum amount of time before data in the buffer is flushed to disk.

The amount of space allocated to the logging directory (in MB).

The amount of space allocated to the logging directory (in MB) if this node is acting as a collation client.

The tolerance for the log space limit (in megabytes). If the variable proxy.config.log.auto_delete_rolled_files is set to 1 (enabled), then autodeletion of log files is triggered when the amount of free space available in the logging directory is less than the value specified here.

The hostname of the machine running Traffic Server.

The path to the logging directory. This can be an absolute path or a path relative to the PREFIX directory in which Traffic Server is installed.

The log file permissions. The standard UNIX file permissions are used (owner, group, other). Permissible values are:

- no permission r read permission w write permission x execute permission

Permissions are subject to the umask settings for the Traffic Server process. This means that a umask setting of002 will not allow write permission for others, even if specified in the configuration file. Permissions for existing log files are not changed when the configuration is changed.

Enables (1) or disables (0) custom logging.

Enables (1) or disables (0) the squid log file format.

The squid log file type:

• 1 = ASCII
• 0 = binary

The squid log filename.

The squid log file header text.

Enables (1) or disables (0) the Netscape common log file format.

The Netscape common log file type:

• 1 = ASCII
• 0 = binary

The Netscape common log filename.

The Netscape common log file header text.

Enables (1) or disables (0) the Netscape extended log file format.

The Netscape extended log file type:

• 1 = ASCII
• 0 = binary

The Netscape extended log filename.

The Netscape extended log file header text.

Enables (1) or disables (0) the Netscape Extended-2 log file format.

The Netscape Extended-2 log file type:

• 1 = ASCII
• 0 = binary

The Netscape Extended-2 log filename.

The Netscape Extended-2 log file header text.

When enabled (1), configures Traffic Server to store ICP transactions in a separate log file.

• 0 = separation is disabled, all ICP transactions are recorded in the same file as HTTP transactions
• 1 = all ICP transactions are recorded in a separate log file.
• -1 = filter all ICP transactions from the default log files; ICP transactions are not logged anywhere.

When enabled (1), configures Traffic Server to create a separate log file for HTTP transactions for each origin server listed in the log_hosts.config file. Refer to HTTP Host Log Splitting.

Set the log collation mode.

The hostname of the log collation server.

The port used for communication between the collation server and client.

The password used to validate logging data and prevent the exchange of unauthorized information when a collation server is being used.

When enabled (1), configures Traffic Server to include the hostname of the collation client that generated the log entry in each entry.

The number of seconds between collation server connection retries.

Specifies how log files are rolled. You can specify the following values:

• 0 = disables log file rolling

• 1 = enables log file rolling at specific intervals during the day (specified with the

  proxy.config.log.rolling_interval_sec and proxy.config.log.rolling_offset_hr variables)

• 2 = enables log file rolling when log files reach a specific size (specified with the proxy.config.log.rolling_size_mb variable)

• 3 = enables log file rolling at specific intervals during the day or when log files reach a specific size (whichever occurs first)

• 4 = enables log file rolling at specific intervals during the day when log files reach a specific size (i.e., at a specified

  time if the file is of the specified size)

The log file rolling interval, in seconds. The minimum value is 60 (1 minute). The maximum, and default, value is 86400 seconds (one day).

The file rolling offset hour. The hour of the day that starts the log rolling period.

The size that log files must reach before rolling takes place.

Enables (1) or disables (0) automatic deletion of rolled files.

Configures Traffic Server to log only a sample of transactions rather than every transaction. You can specify the following values:

• 1 = log every transaction
• 2 = log every second transaction
• 3 = log every third transaction and so on...

If set to a non-zero value N then any connection that takes longer than N milliseconds from accept to completion will cause its timing stats to be written to the debugging log file. This is identifying data about the transaction and all of the transaction milestones.

The diagnosic output configuration variables control where Traffic Server should log diagnostic output. Messages at each diagnostic level can be directed to any combination of diagnostic destinations. Valid diagnostic message destinations are:

• ‘O’ = Log to standard output
• ‘E’ = Log to standard error
• ‘S’ = Log to syslog
• ‘L’ = Log to diags.log

Annotates diagnostic messages with the source code location.

Enables logging for diagnostic messages whose log level is diag or debug.

Each Traffic Server diag and debug level message is annotated with a subsytem tag. This configuration contains a regular expression that filters the messages based on the tag. Some commonly used debug tags are:

Enables (1) or disables (0) HTTP reverse proxy.

The URL to which to redirect requests with no host headers (reverse proxy).

Sets the name of the remap.config file.

Enables (1) or disables (0) requests for a PAC file on the proxy service port (8080 by default) to be redirected to the PAC port. For this type of redirection to work, the variable proxy.config.reverse_proxy.enabled must be set to 1.

Sets the PAC port so that PAC requests made to the Traffic Server proxy service port are redirected this port. -1 is the default setting that sets the PAC port to the autoconfiguration port (the default autoconfiguration port is 8083). This variable can be used together with the proxy.config.url_remap.default_to_server_pac variable to get a PAC file from a different port. You must create and run a process that serves a PAC file on this port. For example: if you create a Perl script that listens on port 9000 and writes a PAC file in response to any request, then you can set this variable to 9000. Browsers that request the PAC file from a proxy server on port 8080 will get the PAC file served by the Perl script.

Set this variable to 1 if you want Traffic Server to serve requests only from origin servers listed in the mapping rules of the remap.config file. If a request does not match, then the browser will receive an error.

Set this variable to 1 if you want to retain the client host header in a request during remapping.

Enables (1) or disables (0) SSLv2. Please don’t enable it.

Enables (1) or disables (0) SSLv3.

Enables (1) or disables (0) TLSv1.

Enables (1) or disables (0) TLS v1.1. If not specified, enabled by default. [Requires OpenSSL v1.0.1 and higher]

Enables (1) or disables (0) TLS v1.2. If not specified, DISABLED by default. [Requires OpenSSL v1.0.1 and higher]

Sets the client certification level:

• 0 = no client certificates are required. Traffic Server does

  not verify client certificates during the SSL handshake. Access to Traffic Server depends on Traffic Server configuration options (such as access control lists).

• 1 = client certificates are optional. If a client has a

  certificate, then the certificate is validated. If the client does not have a certificate, then the client is still allowed access to Traffic Server unless access is denied through other Traffic Server configuration options.

• 2 = client certificates are required. The client must be

  authenticated during the SSL handshake. Clients without a certificate are not allowed to access Traffic Server.

Sets the number of SSL threads to use, this defaults to 0 (autoconfigure).

• 0 = autoconfigure, this will allow Traffic Server to determine the appropriate number of threads
• -1 = disable, this makes ET_NET threads behave like ET_SSL threads Note: this does not disable SSL, it simply allows another thread pool to assist in SSL tasks without dedicated SSL threads.
• >0 = Use a non-zero number of SSL threads

The location of the ssl_multicert.config file, relative to the Traffic Server configuration directory. In the following example, if the Traffic Server configuration directory is /etc/trafficserver, the Traffic Server SSL configuration file and the corresponding certificates are located in /etc/trafficserver/ssl:

CONFIG proxy.config.ssl.server.multicert.filename STRING ssl/ssl_multicert.config
CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver/ssl
CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver/ssl

The location of the SSL certificates and chains used for accepting and validation new SSL sessions. If this is a relative path, it is appended to the Traffic Server installation PREFIX. All certificates and certificate chains listed in ssl_multicert.config will be loaded relative to this path.

The location of the SSL certificate private keys. Change this variable only if the private key is not located in the SSL certificate file. All private keys listed in ssl_multicert.config will be loaded relative to this path.

The name of a file containing a global certificate chain that should be used with every server certificate. This file is only used if there are certificates defined in ssl_multicert.config. Unless this is an absolute path, it is loaded relative to the path specified by proxy.config.ssl.server.cert.path.

The location of the certificate authority file that client certificates will be verified against.

The filename of the certificate authority that client certificates will be verified against.

This configuration specifies the maximum number of bytes to write into a SSL record when replying over a SSL session. In some circumstances this setting can improve response latency by reducing buffering at the SSL layer. The default of 0 means to always write all available data into a single SSL record.

This configuration specifies the lifetime of SSL session cache entries in seconds. If it is 0, then the SSL library will use a default value, typically 300 seconds.

This configuration specifies the max-age value that will be used when adding the Strict-Transport-Security header. The value is in seconds. A value of 0 will set the max-age value to 0 and should remove the HSTS entry from the client. A value of -1 will disable this feature and not set the header. This option is only used for HTTPS requests and the header will not be set on HTTP requests.

Enables (1) or disables (0) adding the includeSubdomain value to the Strict-Transport-Security header. proxy.config.ssl.hsts_max_age needs to be set to a non -1 value for this configuration to take effect.

This configuration specifies whether the client is able to initiate renegotiation of the SSL connection. The default of 0, means the client can’t initiate renegotiation.

Enables (1) or disables (0) elevation of traffic_server privileges during loading of SSL certificates. By enabling this, SSL certificate files’ access rights can be restricted to help reduce the vulnerability of certificates.

Sets ICP mode for hierarchical caching:

• 0 = disables ICP
• 1 = allows Traffic Server to receive ICP queries only
• 2 = allows Traffic Server to send and receive ICP queries

Refer to ICP Peering.

Specifies the network interface used for ICP traffic.

Specifies the UDP port that you want to use for ICP messages.

Specifies the timeout used for ICP queries.

How long a SPDY connection will be kept open after an accept without any streams created.

How long a stream is kept open without activity.

The initial window size for inbound connections.

The maximum number of concurrent streams per inbound connection.

Enables (1) or disables (0) the Scheduled Update option.

Enables (1) or disables (0) a force immediate update. When enabled, Traffic Server overrides the scheduling expiration time for all scheduled update entries and initiates updates until this option is disabled.

Specifies the number of times Traffic Server can retry the scheduled update of a URL in the event of failure.

Specifies the delay (in seconds) between each scheduled update retry for a URL in the event of failure.

Specifies the maximum simultaneous update requests allowed at any time. This option prevents the scheduled update process from overburdening the host.

Specifies the location of Traffic Server plugins.

When this variable is set to 0, plugin remap callbacks are executed in line on network threads. If remap processing takes significant time, this can be cause additional request latency. Setting this variable to causes remap processing to take place on a dedicated thread pool, freeing the network threads to service additional requests.

default: 1 meaning on all Platforms except Linux: 45 seconds

This directive enables operating system specific optimizations for a listening socket. defer_accept holds a call to accept(2) back until data has arrived. In Linux’ special case this is up to a maximum of 45 seconds.

Sets the send buffer size for connections from the client to Traffic Server.

Sets the receive buffer size for connections from the client to Traffic Server.

Turns different options “on” for the socket handling client connections::

TCP_NODELAY (1)
SO_KEEPALIVE (2)

Sets the send buffer size for connections from Traffic Server to the origin server.

Sets the receive buffer size for connections from Traffic Server to the origin server.

Turns different options “on” for the origin server socket::

TCP_NODELAY (1)
SO_KEEPALIVE (2)

Same as the command line option --accept_mss that sets the MSS for all incoming requests.

Set the packet mark on traffic destined for the client (the packets that make up a client response).

Set the packet mark on traffic destined for the origin (the packets that make up an origin request).

Set the ToS/DiffServ Field on packets sent to the client (the packets that make up a client response).

Set the ToS/DiffServ Field on packets sent to the origin (the packets that make up an origin request).

Same as the command line option --poll_timeout, or -t, which specifies the timeout used for the polling mechanism used. This timeout is always in milliseconds (ms). This is the timeout to epoll_wait() on Linux platforms, and to kevent() on BSD type OSs. The default value is 10 on all platforms.

Changing this configuration can reduce CPU usage on an idle system, since periodic tasks gets processed at these intervals. On busy servers, this overhead is diminished, since polled events triggers morefrequently. However, increasing the setting can also introduce additional latency for certain operations, and timed events. It’s recommended not to touch this setting unless your CPU usage is unacceptable at idle workload. Some alternatives to this could be:

Reduce the number of worker threads (net-threads)
Reduce the number of disk (AIO) threads
Make sure accept threads are enabled

The relevant configurations for this are:

CONFIG proxy.config.exec_thread.autoconfig INT 0
CONFIG proxy.config.exec_thread.limit INT 2
CONFIG proxy.config.accept_threads INT 1
CONFIG proxy.config.cache.threads_per_disk INT 8