apache-frontend: replace squid by apache traffic server for caching

apache-frontend: ats: add basic cache configuration XXX RAM (1G) and disk (8G) cache size Should not be hardcoded apache-frontend: ats: mark in header status of request in ats apache-frontend: remove squid

apache-frontend: replace squid by apache traffic server for caching
apache-frontend: ats: add basic cache configuration XXX RAM (1G) and disk (8G) cache size Should not be hardcoded apache-frontend: ats: mark in header status of request in ats apache-frontend: remove squid
49a80246 · Cédric Le Ninivin · e36309ce · 49a80246 · 49a80246 · e36309ce
Commit 49a80246 authored May 28, 2014 by Cédric Le Ninivin
4 changed files
--- a/software/apache-frontend/common.cfg
+++ b/software/apache-frontend/common.cfg
@@ -13,7 +13,8 @@ extends =
  ../../component/dcron/buildout.cfg
  ../../component/logrotate/buildout.cfg
  ../../component/rdiff-backup/buildout.cfg
-  ../../component/squid/buildout.cfg
+  ../../component/trafficserver/buildout.cfg
+
 # Monitoring stack
  ../../stack/monitor/buildout.cfg

@@ -33,7 +34,6 @@ parts +=
  dcron
  logrotate
  rdiff-backup
-  squid

 [slapos-toolbox]
 recipe = zc.recipe.egg
@@ -67,14 +67,14 @@ mode = 0644
 [template-apache-frontend]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-apache-frontend.cfg
-md5sum = f5ec3d3b29d20ccdb00e3b64aa588fa5
+#md5sum = f5ec3d3b29d20ccdb00e3b64aa588fa5
 output = ${buildout:directory}/template-apache-frontend.cfg
 mode = 0644

 [template-apache-replicate]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/instance-apache-replicate.cfg.in
-md5sum = 82c88a4b4856bfffec3d7ef24e372f38
+#md5sum = 82c88a4b4856bfffec3d7ef24e372f38
 mode = 0644

 [template-slave-list]
@@ -144,12 +144,6 @@ url = ${:_profile_base_location_}/templates/template-log-access.conf.in
 md5sum = f85005b430978f3bd24ee7ce11b0e304
 mode = 640

-[template-squid-configuration]
-recipe = slapos.recipe.build:download
-url = ${:_profile_base_location_}/templates/squid.conf.jinja2
-md5sum = f17753fa87da074bc949b2967a330099
-mode = 640
-
 [template-empty]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/templates/empty.in
@@ -162,3 +156,12 @@ url = ${:_profile_base_location_}/templates/wrapper.in
 output = ${buildout:directory}/template-wrapper.cfg
 mode = 0644
 md5sum = 8cde04bfd0c0e9bd56744b988275cfd8
+
+[template-trafficserver-records-config]
+recipe = hexagonit.recipe.download
+url = ${:_profile_base_location_}/templates/trafficserver/${:filename}
+#md5sum = 788795524769f6d946526ac282508b69
+location = ${buildout:parts-directory}/${:_buildout_section_name_}
+filename = records.config.jinja2
+download-only = true
+mode = 0644
--- a/software/apache-frontend/instance-apache-frontend.cfg
+++ b/software/apache-frontend/instance-apache-frontend.cfg
@@ -9,16 +9,11 @@ parts =
  certificate-authority
  logrotate-entry-apache
  logrotate-entry-apache-cached
-  logrotate-entry-squid
  apache-frontend
  apache-cached
  switch-apache-softwaretype
  frontend-apache-graceful
  cached-apache-graceful
-  squid-service
-  squid-prepare
-  squid-reload
-  promise-squid
  dynamic-template-default-vh
  not-found-html
  promise-frontend-apache-configuration
@@ -28,6 +23,14 @@ parts =
  promise-apache-frontend-v6-https
  promise-apache-frontend-v6-http
  promise-apache-cached
+
+  trafficserver-launcher
+  trafficserver-reload
+  trafficserver-configuration-directory
+  trafficserver-records-config
+  trafficserver-remap-config
+  trafficserver-storage-config
+
 ## Monitoring part
 ###Parts to add for monitoring
  certificate-authority
@@ -79,6 +82,7 @@ crontabs = $${:etc}/crontabs
 cronstamps = $${:etc}/cronstamps
 ca-dir = $${:srv}/ssl

+
 [switch-apache-softwaretype]
 recipe = slapos.cookbook:softwaretype
 single-default = $${dynamic-default-template-slave-list:rendered}
@@ -135,6 +139,7 @@ context =
    key develop_eggs_directory buildout:develop-eggs-directory
    key slap_software_type instance-parameter:slap-software-type
    key slapparameter_dict instance-parameter:configuration
+    section directory directory
    $${:extra-context}

 [dynamic-template-default-vh]
@@ -333,8 +338,8 @@ cache-access-log = $${directory:log}/frontend-apache-access-cached.log
 cache-error-log = $${directory:log}/frontend-apache-error-cached.log
 cache-pid-file = $${directory:run}/httpd-cached.pid

-# Comunication with squid
-cache-port = 26010
+# Comunication with ats
+cache-port = $${trafficserver-variable:input-port}
 cache-through-port = 26011

 # Create wrapper for "apachectl conftest" in bin
@@ -433,77 +438,68 @@ sharedscripts = true
 notifempty = true
 create = true

-[logrotate-entry-squid]
-<= logrotate
-recipe = slapos.cookbook:logrotate.d
-name = squid
-log = $${squid-cache:cache-log-path} $${squid-cache:access-log-path}
-frequency = daily
-rotatep-num = 30
-post = ${buildout:bin-directory}/killpidfromfile $${apache-configuration:pid-file} SIGHUP
-sharedscripts = true
-notifempty = true
-create = true
-
-######################
-#  Squid deployment
-######################
-[squid-directory]
+#################
+# Trafficserver
+#################
+[trafficserver-directory]
 recipe = slapos.cookbook:mkdirectory
-squid-cache = $${directory:srv}/squid_cache
-
-[squid-cache]
-prepare-path = $${directory:etc-run}/squid-prepare
-wrapper-path = $${directory:service}/squid
-binary-path = ${squid:location}/sbin/squid
-configuration-path = $${directory:etc}/squid.cfg
-cache-path = $${squid-directory:squid-cache}
-ip = $${instance-parameter:ipv4-random}
-port = $${apache-configuration:cache-port}
-backend-ip = $${instance-parameter:ipv4-random}
-backend-port = $${apache-configuration:cache-through-port}
-open-port = $${instance-parameter:configuration.open-port}
-access-log-path = $${directory:log}/squid-access.log
-cache-log-path = $${directory:log}/squid-cache.log
-pid-filename-path = $${directory:run}/squid.pid
-
-[squid-configuration]
-< = jinja2-template-base
-template = ${template-squid-configuration:target}
-rendered = $${squid-cache:configuration-path}
-extra-context =
-      key ip squid-cache:ip
-      key port squid-cache:port
-      key backend_ip squid-cache:backend-ip
-      key backend_port squid-cache:backend-port
-      key cache_path squid-cache:cache-path
-      key access_log_path squid-cache:access-log-path
-      key cache_log_path squid-cache:cache-log-path
-      key pid_filename_path squid-cache:pid-filename-path
-      key open_port squid-cache:open-port
-
-[squid-service]
+configuration = $${directory:etc}/trafficserver
+local-state = $${directory:var}/trafficserver
+bin_path = ${trafficserver:location}/bin
+log = $${directory:log}/trafficserver
+cache-path = $${directory:srv}/ats_cache
+
+[trafficserver-variable]
+wrapper-path = $${directory:service}/trafficserver
+reload-path = $${directory:etc-run}/trafficserver-reload
+local-ip = $${instance-parameter:ipv4-random}
+input-port = 23432
+hostname = $${slap-parameter:frontend-name}
+remap = map / http://$${instance-parameter:ipv4-random}:$${apache-configuration:cache-through-port}
+disk-cache-config = $${trafficserver-directory:cache-path} 8G volume=$${slap-parameter:frontend-name}
+
+[trafficserver-configuration-directory]
+recipe = plone.recipe.command
+command = cp -rn ${trafficserver:location}/etc/trafficserver/* $${:target}
+target = $${trafficserver-directory:configuration}
+
+[trafficserver-launcher]
 recipe = slapos.cookbook:wrapper
-command-line = $${squid-cache:binary-path} -N -f $${squid-configuration:rendered}
-wrapper-path = $${squid-cache:wrapper-path}
+command-line = ${trafficserver:location}/bin/traffic_cop
+wrapper-path = $${trafficserver-variable:wrapper-path}
+environment = TS_ROOT=$${buildout:directory}

-[squid-prepare]
+[trafficserver-reload]
 recipe = slapos.cookbook:wrapper
-command-line = $${squid-cache:binary-path} -z -f $${squid-configuration:rendered}
-wrapper-path = $${squid-cache:prepare-path}
+command-line = ${trafficserver:location}/bin/traffic_line -x
+wrapper-path = $${trafficserver-variable:reload-path}
+environment = TS_ROOT=$${buildout:directory}

-[squid-reload]
-recipe = slapos.cookbook:wrapper
-command-line = ${buildout:bin-directory}/killpidfromfile $${squid-cache:pid-filename-path} SIGHUP
-wrapper-path = $${directory:etc-run}/squid-reload
+[trafficserver-records-config]
+< = jinja2-template-base
+template = ${template-trafficserver-records-config:location}/${template-trafficserver-records-config:filename}
+rendered = $${trafficserver-directory:configuration}/records.config
+mode = 700
+context =
+    import os_module os
+    section ats_directory trafficserver-directory
+    section ats_configuration trafficserver-variable

-[promise-squid]
-recipe = slapos.cookbook:check_port_listening
-path = $${directory:promise}/squid
-hostname = $${instance-parameter:ipv4-random}
-port = $${apache-configuration:cache-port}
+[trafficserver-remap-config]
+< = jinja2-template-base
+template = ${template-empty:target}
+rendered = $${trafficserver-configuration-directory:target}/remap.config
+mode = 700
+context =
+    key content trafficserver-variable:remap

-# End of Squid part
+[trafficserver-storage-config]
+< = jinja2-template-base
+template = ${template-empty:target}
+rendered = $${trafficserver-configuration-directory:target}/storage.config
+mode = 700
+context =
+    key content trafficserver-variable:disk-cache-config

 ### Apaches Graceful and promises
 [frontend-apache-graceful]
@@ -577,3 +573,21 @@ server_url = $${slap-connection:server-url}
 software_release_url = $${slap-connection:software-release-url}
 key_file = $${slap-connection:key-file}
 cert_file = $${slap-connection:cert-file}
+
+[slap-parameter]
+# Define default parameter(s) that will be used later, in case user didn't
+# specify it
+# All parameters are available through the configuration.XX syntax.
+# All possible parameters should have a default.
+domain = example.org
+public-ipv4 =
+port = 4443
+plain_http_port = 8080
+server-admin = admin@example.com
+apache_custom_https = ""
+apache_custom_http = ""
+apache-key =
+apache-certificate =
+open-port = 80 443
+extra_slave_instance_list =
+frontend-name =
\ No newline at end of file
--- a/software/apache-frontend/templates/squid.conf.jinja2
+++ b/software/apache-frontend/templates/squid.conf.jinja2
-refresh_pattern .   0 20% 4320 max-stale=604800
-
-# Dissallow cachemgr access
-http_access deny manager
-
-# Squid service configuration
-http_port {{ ip }}:{{ port }} accel defaultsite={{ ip }}
-
-cache_peer {{ backend_ip }} parent {{ backend_port }} 0 no-query originserver name=backend
-
-acl our_sites port {{ open_port }}
-http_access allow our_sites
-cache_peer_access backend allow our_sites
-cache_peer_access backend deny all
-
-# Drop squid headers
-# via off
-# reply_header_access X-Cache-Lookup deny all
-# reply_header_access X-Squid-Error deny all
-# reply_header_access X-Cache deny all
-
-header_replace X-Forwarded-For
-follow_x_forwarded_for allow all
-forwarded_for on
-
-cache_dir aufs {{ cache_path }} 5000 16 256
-
-# Use 1Go of RAM
-cache_mem 1024 MB
-# But do not keep big object in RAM
-maximum_object_size_in_memory 2048 KB
-
-# Log
-access_log {{ access_log_path }}
-cache_log {{ cache_log_path }}
-pid_filename {{ pid_filename_path }}
--- a/software/apache-frontend/templates/trafficserver/records.config.jinja2
+++ b/software/apache-frontend/templates/trafficserver/records.config.jinja2
+#
+#
+# Process Records Config File
+#
+# <RECORD-TYPE> <NAME> <TYPE> <VALUE (till end of line)>
+#
+#	RECORD-TYPE:	CONFIG, LOCAL
+#	NAME:		name of variable
+#	TYPE:		INT, STRING, FLOAT
+#	VALUE:		Initial value for record
+#
+#
+# *NOTE*: All options covered in this file should be documented in the
+#         administration guide or the addendum:
+#
+#
+##############################################################################
+#
+# System Variables
+#
+##############################################################################
+CONFIG proxy.config.proxy_name STRING {{ ats_configuration['hostname'] }}
+CONFIG proxy.config.local_state_dir {{ ats_directory['local-state'] }}
+CONFIG proxy.config.config_dir STRING {{ ats_directory['configuration'] }}
+CONFIG proxy.config.bin_path STRING {{ ats_directory['bin_path'] }}
+CONFIG proxy.config.proxy_binary_opts STRING -M
+CONFIG proxy.config.env_prep STRING example_prep.sh
+CONFIG proxy.config.alarm_email STRING nobody
+CONFIG proxy.config.syslog_facility STRING LOG_DAEMON
+CONFIG proxy.config.output.logfile STRING traffic.out
+CONFIG proxy.config.snapshot_dir STRING snapshots
+CONFIG proxy.config.system.mmap_max INT 2097152
+##############################################################################
+#
+# Main threads configuration (worker threads). Also see configurations for
+# SSL threads, disk I/O threads and task threads in their respective areas.
+#
+##############################################################################
+CONFIG proxy.config.exec_thread.autoconfig INT 1
+CONFIG proxy.config.exec_thread.autoconfig.scale FLOAT 1.5
+CONFIG proxy.config.exec_thread.limit INT 2
+CONFIG proxy.config.accept_threads INT 1
+##############################################################################
+#
+# Local Manager
+#
+##############################################################################
+CONFIG proxy.config.admin.admin_user STRING admin
+CONFIG proxy.config.admin.number_config_bak INT 3
+CONFIG proxy.config.admin.user_id STRING {{ '#%s' % os_module.geteuid() }}
+##############################################################################
+#
+# Process Manager
+#
+##############################################################################
+CONFIG proxy.config.admin.autoconf_port INT 8083
+CONFIG proxy.config.process_manager.mgmt_port INT 8084
+##############################################################################
+#
+# In order to only bind a specific IP, use the following config, as in
+# the example below. Note - this can contain two addresses, one for IPv4
+# sockets and one for IPv6 sockets.
+#
+##############################################################################
+LOCAL proxy.local.incoming_ip_to_bind STRING {{ ats_configuration['local-ip'] }}
+#LOCAL proxy.local.outgoing_ip_to_bind STRING 10.0.143.32
+#LOCAL proxy.local.incoming_ip_to_bind STRING 192.168.101.17 fc07:192:168:101::17
+##############################################################################
+#
+# Alarm Configuration
+#
+##############################################################################
+   # execute alarm as "<abs_path>/<bin> "<MSG_STRING_FROM_PROXY>""
+CONFIG proxy.config.alarm.bin STRING example_alarm_bin.sh
+CONFIG proxy.config.alarm.abs_path STRING NULL
+##############################################################################
+#
+# HTTP Engine
+#
+##############################################################################
+   ##########
+   # basics #
+   ##########
+   # The server ports are listed here. These are separated by spaces or commas.
+   # Each port is a colon separated list of values, which must include a
+   # port number. The order is irrelevant. Other options are
+   # ipv4 - Use IPv4 (default)
+   # ipv6 - Use IPv6
+   # tr-in - Transparent inbound.
+   # tr-out - Transparent outbound.
+   # tr-full - Fully transparent (inbound and outbound).
+   # tr-pass - Transparently Pass-through non-HTTP traffic (in conjuction with tr-in).
+   # ssl - SSL terminated port.
+   # blind - Blind tunnel port (CONNECT only)
+   # ip-in=[addr] - Bind inbound IP address (listen for client).
+   # ip-out=[addr] - Bind outbound IP address (connect to origin server).
+   # ip-resolve=[style] - Set the IP resolution style.
+   #
+   # Note - address types must agree with each other and the ipv4/ipv6
+   # option if specified. IPv6 addresses must be enclosed in brackets.
+   # ip-out can be repeated as long as each address is a different
+   # family. If ip-in is specified as an IPv6 address, the port is
+   # forced to IPv6. Transparent ports cannot be bound to an IP
+   # address on the transparent side.
+   #
+   # The '=' is optional for any option with a value.
+   #
+   # Example 1: Port 8080 IPv6 inbound transparent, and port 80 IPv4
+   # "8080:ipv6:tr-in 80"
+   #
+   # Example 2: Listen on standard http and https ports for IPv4 and IPv6,
+   # fully transparent on the http ports. Also provide an non-transparent
+   # port at address 192.168.1.56 on port 8080.
+   # "80:ipv4:tr-full tr-full:80:ipv6 443:ipv4:ssl 443:ssl:ipv6 ip-in=192.168.1.56:8080"
+   #
+CONFIG proxy.config.http.server_ports STRING {{ ats_configuration['local-ip'] + ':' + ats_configuration['input-port'] }}
+   # Ports on the origin server to which a blind tunnel may connect.
+CONFIG proxy.config.http.connect_ports STRING 443 563
+   # The via settings have four values
+   #  0 - Do not modify / set this via header
+   #  1 - Update the via, with normal verbosity
+   #  2 - Update the via, with higher verbosity
+   #  3 - Update the via, with highest verbosity
+CONFIG proxy.config.http.insert_request_via_str INT 2
+CONFIG proxy.config.http.insert_response_via_str INT 2
+   # Insert a Server: header, this has three values
+   #   0 - Don't add or modify the Server: header
+   #   1 - Add a Server: header
+   #   2 - Only add a Server: header if one doesn't exist already
+CONFIG proxy.config.http.response_server_enabled INT 1
+CONFIG proxy.config.http.insert_age_in_response INT 1
+CONFIG proxy.config.http.enable_url_expandomatic INT 0
+CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 0
+CONFIG proxy.config.http.uncacheable_requests_bypass_parent INT 1
+CONFIG proxy.config.http.keep_alive_enabled_in INT 1
+CONFIG proxy.config.http.keep_alive_enabled_out INT 1
+CONFIG proxy.config.http.chunking_enabled INT 1
+   # send http11 requests:
+   #   0 - Never
+   #   1 - Always
+   #   2 - if the server has returned http1.1 before
+   #   3 - if the client request is 1.1 & the server has returned 1.1 before
+   # If use_client_addr is set to 1, options 2 and 3 cause the proxy to use
+   # the client HTTP version for upstream requests.
+CONFIG proxy.config.http.send_http11_requests INT 1
+   # Share server connections
+   #  0 - Never
+   #  1 - Share, with a single global connection pool
+   #  2 - Share, with a connection pool per worker thread
+CONFIG proxy.config.http.share_server_sessions INT 2
+   ##########################
+   # HTTP referer filtering #
+   ##########################
+CONFIG proxy.config.http.referer_filter INT 0
+CONFIG proxy.config.http.referer_format_redirect INT 0
+CONFIG proxy.config.http.referer_default_redirect STRING http://www.example.com/
+   ##############################
+   # parent proxy configuration #
+   ##############################
+CONFIG proxy.config.http.parent_proxy_routing_enable INT 0
+CONFIG proxy.config.http.parent_proxy.retry_time INT 300
+   # Parent fail threshold is the number of request that must
+   # fail within the retry window for the parent to be marked
+   # down
+CONFIG proxy.config.http.parent_proxy.fail_threshold INT 10
+CONFIG proxy.config.http.parent_proxy.total_connect_attempts INT 4
+CONFIG proxy.config.http.parent_proxy.per_parent_connect_attempts INT 2
+CONFIG proxy.config.http.parent_proxy.connect_attempts_timeout INT 30
+CONFIG proxy.config.http.forward.proxy_auth_to_parent INT 0
+   ###################################
+   # HTTP connection timeouts (secs) #
+   ###################################
+   # out: proxy -> origin server connection
+   # in : ua -> proxy connection
+CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 115
+CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 120
+CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 30
+CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 30
+CONFIG proxy.config.http.transaction_active_timeout_in INT 900
+CONFIG proxy.config.http.transaction_active_timeout_out INT 0
+CONFIG proxy.config.http.accept_no_activity_timeout INT 120
+CONFIG proxy.config.http.background_fill_active_timeout INT 60
+CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.5
+   ##################################
+   # origin server connect attempts #
+   ##################################
+CONFIG proxy.config.http.connect_attempts_max_retries INT 6
+CONFIG proxy.config.http.connect_attempts_max_retries_dead_server INT 3
+CONFIG proxy.config.http.connect_attempts_rr_retries INT 3
+CONFIG proxy.config.http.connect_attempts_timeout INT 30
+CONFIG proxy.config.http.post_connect_attempts_timeout INT 1800
+CONFIG proxy.config.http.down_server.cache_time INT 300
+CONFIG proxy.config.http.down_server.abort_threshold INT 10
+   ##################################
+   # congestion control             #
+   ##################################
+CONFIG proxy.config.http.congestion_control.enabled INT 0
+   #############################
+   # negative response caching #
+   #############################
+CONFIG proxy.config.http.negative_caching_enabled INT 0
+CONFIG proxy.config.http.negative_caching_lifetime INT 1800
+   #########################
+   # proxy users variables #
+   #########################
+CONFIG proxy.config.http.anonymize_remove_from INT 0
+CONFIG proxy.config.http.anonymize_remove_referer INT 0
+CONFIG proxy.config.http.anonymize_remove_user_agent INT 0
+CONFIG proxy.config.http.anonymize_remove_cookie INT 0
+CONFIG proxy.config.http.anonymize_remove_client_ip INT 0
+CONFIG proxy.config.http.anonymize_insert_client_ip INT 1
+CONFIG proxy.config.http.anonymize_other_header_list STRING NULL
+CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
+   ############
+   # security #
+   ############
+CONFIG proxy.config.http.push_method_enabled INT 0
+
+#  ###################################
+#  # HTTP Quick filtering (security) #
+#  ###################################
+#  this functionality is moved to ip_allow.config
+
+   #################
+   # cache control #
+   #################
+CONFIG proxy.config.http.cache.http INT 1
+   # Enabling this setting allows the proxy to cache empty documents. This currently
+   # requires that the response has a Content-Length: header, with a value of "0".
+CONFIG proxy.config.http.cache.allow_empty_doc INT 0
+CONFIG proxy.config.http.cache.ignore_client_no_cache INT 1
+CONFIG proxy.config.http.cache.ims_on_client_no_cache INT 1
+CONFIG proxy.config.http.cache.ignore_server_no_cache INT 0
+CONFIG proxy.config.http.cache.ignore_client_cc_max_age INT 0
+CONFIG proxy.config.http.normalize_ae_gzip INT 0
+   # cache responses to cookies has 5 options:
+   #   0 - do not cache any responses to cookies
+   #   1 - cache for any content-type
+   #   2 - cache only for image types
+   #   3 - cache for all but text content-types
+   #   4 - cache for all but text content-types except OS response
+   #       without "Set-Cookie" or with "Cache-Control: public"
+   # See also cache-responses-to-cookies in cache.config.
+CONFIG proxy.config.http.cache.cache_responses_to_cookies INT 1
+CONFIG proxy.config.http.cache.ignore_authentication INT 0
+CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1
+CONFIG proxy.config.http.cache.enable_default_vary_headers INT 0
+   #  when_to_revalidate has 5 options:
+   #    0 - default. use cache directives or heuristic
+   #    1 - stale if heuristic
+   #    2 - always stale (always revalidate)
+   #    3 - never stale
+   #    4 - always revalidate if request is conditional, else default is used
+CONFIG proxy.config.http.cache.when_to_revalidate INT 0
+   # Some old MSIE browsers don't send no-cache headers to
+   # reverse proxies or transparent caches, this variable controls
+   # when to add no-cache headers to MSIE requests:
+   #  -1 - no-cache is never added, stats are not updated
+   #   0 - default; no-cache not added to MSIE requests
+   #   1 - no-cache added to IMS MSIE requests
+   #   2 - no-cache added to all MSIE requests
+CONFIG proxy.config.http.cache.when_to_add_no_cache_to_msie_requests INT -1
+   # required headers: three options:
+   #   0 - No required headers to make document cachable
+   #   1 - "Last-Modified:", "Expires:", or "Cache-Control: max-age" required
+   #   2 - explicit lifetime required, "Expires:" or "Cache-Control: max-age"
+CONFIG proxy.config.http.cache.required_headers INT 2
+CONFIG proxy.config.http.cache.max_stale_age INT 604800
+CONFIG proxy.config.http.cache.range.lookup INT 1
+   ########################
+   # heuristic expiration #
+   ########################
+CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 3600
+CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 86400
+CONFIG proxy.config.http.cache.heuristic_lm_factor FLOAT 0.10
+CONFIG proxy.config.http.cache.fuzz.time INT 240
+CONFIG proxy.config.http.cache.fuzz.probability FLOAT 0.005
+   #########################################
+   # dynamic content & content negotiation #
+   #########################################
+CONFIG proxy.config.http.cache.vary_default_text STRING NULL
+CONFIG proxy.config.http.cache.vary_default_images STRING NULL
+CONFIG proxy.config.http.cache.vary_default_other STRING NULL
+   ##############################################################
+   # The HTTP stats are expensive, turn off you don't need them #
+   ##############################################################
+CONFIG proxy.config.http.enable_http_stats INT 1
+
+##############################################################################
+#
+# Customizable User Response Pages
+#
+##############################################################################
+   # 1 - enable customizable user response pages in only the "default" directory
+   # 2 - enable language-targeted user response pages
+CONFIG proxy.config.body_factory.enable_customizations INT 1
+CONFIG proxy.config.body_factory.enable_logging INT 0
+   # 0 - never suppress generated responses
+   # 1 - always suppress generated responses
+   # 2 - suppress responses for intercepted traffic
+CONFIG proxy.config.body_factory.response_suppression_mode INT 0
+##############################################################################
+#
+# Net Subsystem
+#
+##############################################################################
+CONFIG proxy.config.net.connections_throttle INT 30000
+   # Enable defer accept / accept filtering. On Linux, this is a timeout, sec.
+CONFIG proxy.config.net.defer_accept INT 45
+##############################################################################
+#
+# Cluster Subsystem
+#
+##############################################################################
+   # cluster type requires restart to change
+   # 1 is full clustering, 2 is mgmt only, 3 is no clustering
+LOCAL proxy.local.cluster.type INT 3
+CONFIG proxy.config.cluster.cluster_port INT 8086
+CONFIG proxy.config.cluster.rsport INT 8088
+CONFIG proxy.config.cluster.mcport INT 8089
+CONFIG proxy.config.cluster.mc_group_addr STRING 224.0.1.37
+CONFIG proxy.config.cluster.mc_ttl INT 1
+CONFIG proxy.config.cluster.log_bogus_mc_msgs INT 1
+CONFIG proxy.config.cluster.ethernet_interface STRING lo
+##############################################################################
+#
+# Cache
+#
+##############################################################################
+CONFIG proxy.config.cache.permit.pinning INT 0
+   # default the ram cache size to AUTO_SIZE (-1) based on cache size
+   #   (approximately 10 MB of RAM cache per GB of disk cache)
+   # alternatively, set to a fixed value such as 21474836480 (20GB)
+CONFIG proxy.config.cache.ram_cache.size INT 1G
+CONFIG proxy.config.cache.ram_cache_cutoff INT 4194304
+   # Replacement algorithm
+   #  0 : Clocked Least Frequently Used by Size (CLFUS) w/optional compression
+   #  1 : LRU w/o optional compression - trivially simple
+CONFIG proxy.config.cache.ram_cache.algorithm INT 0
+   # Filter inserts into the RAM cache to ensure that they have been seen at
+   # least once.  For LRU, this provides scan resistance. Note that CLFUS
+   # already requires that a document have history before it is inserted, so
+   # for CLFUS, setting this option means that a document must be seen three
+   # times before it is added to the RAM cache.
+CONFIG proxy.config.cache.ram_cache.use_seen_filter INT 0
+   # Compress the content of the ram cache:
+   #  0 : no compression
+   #  1 : fastlz (extremely fast, relatively low compression)
+   #  2 : libz (moderate speed, reasonable compression)
+   #  3 : liblzma (very slow, high compression)
+   #  NOTE: compression runs on task threads.  To use more cores for
+   #  compression, increase proxy.config.task_threads.
+CONFIG proxy.config.cache.ram_cache.compress INT 0
+   # The maximum number of alternates that are allowed for any given URL.
+   # It is not possible to strictly enforce this if the variable
+   #   'proxy.config.cache.vary_on_user_agent' is set to 1.
+   # The default value for 'proxy.config.cache.vary_on_user_agent' is 0.
+   # (0 disables the maximum number of alts check)
+CONFIG proxy.config.cache.limits.http.max_alts INT 5
+   # The target size of a contiguous fragment on disk.
+   # Acceptable values are powers of 2, e.g. 65536, 131072, 262144, 524288, 1048576, 2097152.
+   # Larger could waste memory on slow connections, smaller could waste seeks.
+CONFIG proxy.config.cache.target_fragment_size INT 1048576
+   # The maximum size of a document that will be stored in the cache.
+   # (0 disables the maximum document size check)
+CONFIG proxy.config.cache.max_doc_size INT 0
+   # enable the cache to read from an object while it is being added to the cache
+CONFIG proxy.config.cache.enable_read_while_writer INT 0
+   # This controls how many objects (average) the disk caches can hold, and
+   # how much memory it'll consume for the directory structure.
+CONFIG proxy.config.cache.min_average_object_size INT 8000
+   # How many I/O threads to allocate per disk (spindle). Be aware that RAID
+   # disks would show up to TS as a single spindle.
+CONFIG proxy.config.cache.threads_per_disk INT 8
+   # Time (in ms) to delay until retrying to acquire a cache lock. Setting
+   # this low can reduce latencies in some cases, but can consume more CPU.
+   # If you experience CPU spinning, try increasing this setting.
+CONFIG proxy.config.cache.mutex_retry_delay INT 2
+   # The interim storage disks. Must use raw disks.
+   # Only support at most 8 interim disks now. e.g.
+   # proxy.config.cache.interim.storage STRING /dev/sda /dev/sdb/
+LOCAL proxy.config.cache.interim.storage STRING NULL
+##############################################################################
+#
+# DNS
+#
+##############################################################################
+CONFIG proxy.config.dns.search_default_domains INT 0
+CONFIG proxy.config.dns.splitDNS.enabled INT 0
+CONFIG proxy.config.dns.max_dns_in_flight INT 2048
+   # Additional URL expansions for http DNS lookup
+CONFIG proxy.config.dns.url_expansions STRING NULL
+CONFIG proxy.config.dns.round_robin_nameservers INT 0
+CONFIG proxy.config.dns.nameservers STRING NULL
+CONFIG proxy.config.dns.resolv_conf STRING /etc/resolv.conf
+   # This provides additional resilience against DNS forgery, particularly in
+   # forward or transparent proxies, but requires that the resolver populates
+   # the queries section of the response properly.
+CONFIG proxy.config.dns.validate_query_name INT 0
+##############################################################################
+#
+# HostDB
+#
+##############################################################################
+   # in entries, may not be changed while running
+   # note that in order to increase hostdb.size, hostdb.storage_size should
+   # also be increase. These are best guesses, you will have to monitor this.
+CONFIG proxy.config.hostdb.size INT 120000
+CONFIG proxy.config.hostdb.storage_size INT 32M
+   # ttl modes:
+   #   0 = obey
+   #   1 = ignore
+   #   2 = min(X,ttl)
+   #   3 = max(X,ttl)
+CONFIG proxy.config.hostdb.ttl_mode INT 0
+   # in minutes...
+CONFIG proxy.config.hostdb.timeout INT 1440
+   # round-robin addresses for single clients
+   # (can cause authentication problems)
+CONFIG proxy.config.hostdb.strict_round_robin INT 0
+##############################################################################
+#
+# Logging Config
+#
+##############################################################################
+   # possible values for logging_enabled:
+   #   0: no logging at all
+   #   1: log errors only
+   #   2: log transactions only
+   #   3: full logging (errors + transactions)
+CONFIG proxy.config.log.logging_enabled INT 3
+CONFIG proxy.config.log.max_secs_per_buffer INT 5
+CONFIG proxy.config.log.max_space_mb_for_logs INT 25000
+CONFIG proxy.config.log.max_space_mb_for_orphan_logs INT 25
+CONFIG proxy.config.log.max_space_mb_headroom INT 1000
+CONFIG proxy.config.log.hostname STRING localhost
+CONFIG proxy.config.log.logfile_dir STRING {{ ats_directory['log'] }}
+CONFIG proxy.config.log.logfile_perm STRING rw-r--r--
+CONFIG proxy.config.log.custom_logs_enabled INT 0
+CONFIG proxy.config.log.squid_log_enabled INT 1
+CONFIG proxy.config.log.squid_log_is_ascii INT 0
+CONFIG proxy.config.log.squid_log_name STRING squid
+CONFIG proxy.config.log.squid_log_header STRING NULL
+CONFIG proxy.config.log.common_log_enabled INT 0
+CONFIG proxy.config.log.common_log_is_ascii INT 1
+CONFIG proxy.config.log.common_log_name STRING common
+CONFIG proxy.config.log.common_log_header STRING NULL
+CONFIG proxy.config.log.extended_log_enabled INT 0
+CONFIG proxy.config.log.extended_log_is_ascii INT 0
+CONFIG proxy.config.log.extended_log_name STRING extended
+CONFIG proxy.config.log.extended_log_header STRING NULL
+CONFIG proxy.config.log.extended2_log_enabled INT 0
+CONFIG proxy.config.log.extended2_log_is_ascii INT 1
+CONFIG proxy.config.log.extended2_log_name STRING extended2
+CONFIG proxy.config.log.extended2_log_header STRING NULL
+CONFIG proxy.config.log.separate_icp_logs INT 0
+CONFIG proxy.config.log.separate_host_logs INT 0
+   # Log collation allows you to do "remote logging"
+LOCAL proxy.local.log.collation_mode INT 0
+CONFIG proxy.config.log.collation_host STRING NULL
+CONFIG proxy.config.log.collation_port INT 8085
+CONFIG proxy.config.log.collation_secret STRING foobar
+CONFIG proxy.config.log.collation_host_tagged INT 0
+CONFIG proxy.config.log.collation_retry_sec INT 5
+CONFIG proxy.config.log.rolling_enabled INT 1
+CONFIG proxy.config.log.rolling_interval_sec INT 86400
+CONFIG proxy.config.log.rolling_offset_hr INT 0
+CONFIG proxy.config.log.rolling_size_mb INT 10
+CONFIG proxy.config.log.auto_delete_rolled_files INT 1
+CONFIG proxy.config.log.sampling_frequency INT 1
+##############################################################################
+#
+# Reverse Proxy
+#
+##############################################################################
+CONFIG proxy.config.reverse_proxy.enabled INT 1
+CONFIG proxy.config.header.parse.no_host_url_redirect STRING NULL
+##############################################################################
+#
+# URL Remap Rules
+#
+##############################################################################
+CONFIG proxy.config.url_remap.default_to_server_pac INT 0
+CONFIG proxy.config.url_remap.default_to_server_pac_port INT -1
+   # To enable forward proxy, you must turn off remap_required
+CONFIG proxy.config.url_remap.remap_required INT 1
+   # Pristine host header is the "original" (request) header. Make sure your
+   # origin expects them in reverse proxy.
+CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
+##############################################################################
+#
+# SSL Termination
+#
+##############################################################################
+   # The number of SSL threads is a multiplier of number of CPUs and
+   # proxy.config.exec_thread.autoconfig.scale by default. You can
+   # override that here (set it to a non-zero value).
+CONFIG proxy.config.ssl.number.threads INT 0
+   # The following three variables can be
+   # set to 0 to disable SSLv2, SSLv3, and/or TLSv1.
+   # SSLv2 is disabled by default for security concern.
+CONFIG proxy.config.ssl.SSLv2 INT 0
+CONFIG proxy.config.ssl.SSLv3 INT 1
+CONFIG proxy.config.ssl.TLSv1 INT 1
+   # The following two variables control the Cipher Suite traffic Server
+   # uses for HTTPS connnections and whether to prefer the client
+   # selected (default) or the server selected
+   # Our default SSL Cipher Suite tries to be reasonably fast and strong.
+CONFIG proxy.config.ssl.server.cipher_suite STRING RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
+CONFIG proxy.config.ssl.server.honor_cipher_order INT 0
+   # Control if SSL should perform content compression or not
+CONFIG proxy.config.ssl.compression INT 0
+   # Client certification level should be:
+   # 0 no client certificates
+   # 1 client certificates optional
+   # 2 client certificates required
+CONFIG proxy.config.ssl.client.certification_level INT 0
+   # Server cert chain filename is the name of the global cert chain file
+   # that is added to every cert in ssl_multicert.config. This file is only
+   # loaded if there are configurations in ssl_multicert.config.
+CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL
+   # This is the path that SSL certificates files are relative to. Certificate
+   # names specified in ssl_multicert.config will be located relative to this path.
+CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver
+   # If any private key is not contained in the certificate file, you must
+   # fill in the private key path. Private key names specified in
+   # ssl_multicert.config will be located relative to this path.
+CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver
+   # The CA file name and path are the
+   # certificate authority certificate that
+   # client certificates will be verified against.
+CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
+CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver
+   ################################
+   # client related configuration #
+   ################################
+CONFIG proxy.config.ssl.client.verify.server INT 0
+CONFIG proxy.config.ssl.client.cert.filename STRING NULL
+CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver
+   # Fill in private key file and path only if the client's
+   # private key is not contained in the client certificate file.
+CONFIG proxy.config.ssl.client.private_key.filename STRING NULL
+CONFIG proxy.config.ssl.client.private_key.path STRING etc/trafficserver
+   # The CA file name and path are the
+   # certificate authority certificate that
+   # server certificates will be verified against.
+CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
+CONFIG proxy.config.ssl.client.CA.cert.path STRING etc/trafficserver
+##############################################################################
+#
+# ICP Configuration. NOTE! ICP is currently broken NOTE!
+#
+##############################################################################
+   # icp modes
+   #   enabled=0 ICP disabled
+   #   enabled=1 Allow receive of ICP queries
+   #   enabled=2 Allow send/receive of ICP queries
+CONFIG proxy.config.icp.enabled INT 0
+CONFIG proxy.config.icp.icp_interface STRING NULL
+CONFIG proxy.config.icp.icp_port INT 3130
+CONFIG proxy.config.icp.multicast_enabled INT 0
+CONFIG proxy.config.icp.query_timeout INT 2
+##############################################################################
+#
+# Scheduled Update Configuration
+#
+##############################################################################
+CONFIG proxy.config.update.enabled INT 0
+CONFIG proxy.config.update.force INT 0
+CONFIG proxy.config.update.retry_count INT 10
+CONFIG proxy.config.update.retry_interval INT 2
+CONFIG proxy.config.update.concurrent_updates INT 100
+##############################################################################
+#
+# Socket send/recv buffer sizes (0 == don't call setsockopt() )
+#
+##############################################################################
+   # out: proxy -> os connection
+   # in : ua -> proxy connection
+CONFIG proxy.config.net.sock_send_buffer_size_in INT 262144
+CONFIG proxy.config.net.sock_recv_buffer_size_in INT 0
+CONFIG proxy.config.net.sock_send_buffer_size_out INT 0
+CONFIG proxy.config.net.sock_recv_buffer_size_out INT 0
+##############################################################################
+#
+# User Overridden Configurations Below
+#
+##############################################################################
+CONFIG proxy.config.core_limit INT -1
+##############################################################################
+#
+# Debugging
+#
+##############################################################################
+  # Uses a regular expression to match the debugging topic name, performance
+  # will be affected!
+CONFIG proxy.config.diags.debug.enabled INT 0
+CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
+  # Great for tracking down memory leaks, but you need to use the
+  # ink allocators
+CONFIG proxy.config.dump_mem_info_frequency INT 0
+
+  # Log the source code location of diagnostic messages.
+CONFIG proxy.config.diags.show_location INT 0
+##############################################################################
+#
+# Configuration for Reclaimable InkFreeList memory pool
+#
+# NOTE: The following options are meaningfull only when Traffic Server is
+#       compiled with the following option to configure:
+#
+#	    --enable-reclaimable-freelist
+#
+##############################################################################
+CONFIG proxy.config.allocator.enable_reclaim INT 1
+  # The value of reclaim_factor should be in the 0.0 to 1.0 range. Allocators
+  # use it to calculate size of unused memory, which is used to determine when
+  # to reclaim memory. The larger the value, the more aggressive reclaims.
+CONFIG proxy.config.allocator.reclaim_factor FLOAT 0.300000
+  # Allocator will reclaim memory only when it continuously satisfy the reclaim
+  # condition for max_overage continuous checks.
+CONFIG proxy.config.allocator.max_overage INT 3
+  #  For debugging, enable debug_filter, which is a bit-map with these fields:
+  #     bit 0: reclaim memory in ink_freelist_new
+  #     bit 1: allocate memory from partial-free Chunks(if exist) or OS
+CONFIG proxy.config.allocator.debug_filter INT 0
+
+##############################################################################
+#
+# Slow Log
+#
+##############################################################################
+  # Log any request that takes more then x number of milliseconds, needs
+  # to be > 0 to be enabled
+CONFIG proxy.config.http.slow.log.threshold INT 0
+##############################################################################
+#
+# Thread pool for "misc" tasks, plugins etc. 2 is a good minimum.
+#
+##############################################################################
+CONFIG proxy.config.task_threads INT 2