File: FAQ-4.html

package info (click to toggle)
squid 2.6.5-6etch5
links: PTS
area: main
in suites: etch
size: 12,540 kB
ctags: 13,801
sloc: ansic: 105,278; sh: 6,083; makefile: 1,297; perl: 1,245; awk: 40
file content (548 lines) | stat: -rw-r--r-- 22,902 bytes
parent folder | download | duplicates (2)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
 <TITLE>SQUID Frequently Asked Questions: Configuration issues</TITLE>
 <LINK HREF="FAQ-5.html" REL=next>
 <LINK HREF="FAQ-3.html" REL=previous>
 <LINK HREF="FAQ.html#toc4" REL=contents>
</HEAD>
<BODY>
<A HREF="FAQ-5.html">Next</A>
<A HREF="FAQ-3.html">Previous</A>
<A HREF="FAQ.html#toc4">Contents</A>
<HR>
<H2><A NAME="s4">4.</A> <A HREF="FAQ.html#toc4">Configuration issues</A></H2>

<H2><A NAME="ss4.1">4.1</A> <A HREF="FAQ.html#toc4.1">How do I join a cache hierarchy?</A>
</H2>

<P>To place your cache in a hierarchy, use the <CODE>cache_peer</CODE>
directive in <EM>squid.conf</EM> to specify the parent and sibling
nodes.</P>

<P>For example, the following <EM>squid.conf</EM> file on
<CODE>childcache.example.com</CODE> configures its cache to retrieve
data from one parent cache and two sibling caches:</P>
<P>
<PRE>
        #  squid.conf - On the host: childcache.example.com
        #
        #  Format is: hostname  type  http_port  udp_port
        #
        cache_peer parentcache.example.com   parent  3128 3130
        cache_peer childcache2.example.com   sibling 3128 3130
        cache_peer childcache3.example.com   sibling 3128 3130
</PRE>
</P>
<P>The <CODE>cache_peer_domain</CODE> directive allows you to specify that
certain caches siblings or parents for certain domains:</P>
<P>
<PRE>
        #  squid.conf - On the host: sv.cache.nlanr.net
        #
        #  Format is: hostname  type  http_port  udp_port
        #

        cache_peer electraglide.geog.unsw.edu.au parent 3128 3130
        cache_peer cache1.nzgate.net.nz          parent 3128 3130
        cache_peer pb.cache.nlanr.net   parent 3128 3130
        cache_peer it.cache.nlanr.net   parent 3128 3130
        cache_peer sd.cache.nlanr.net   parent 3128 3130
        cache_peer uc.cache.nlanr.net   sibling 3128 3130
        cache_peer bo.cache.nlanr.net   sibling 3128 3130
        cache_peer_domain electraglide.geog.unsw.edu.au .au
        cache_peer_domain cache1.nzgate.net.nz   .au .aq .fj .nz
        cache_peer_domain pb.cache.nlanr.net     .uk .de .fr .no .se .it
        cache_peer_domain it.cache.nlanr.net     .uk .de .fr .no .se .it
        cache_peer_domain sd.cache.nlanr.net     .mx .za .mu .zm
</PRE>
</P>
<P>The configuration above indicates that the cache will use
<CODE>pb.cache.nlanr.net</CODE> and <CODE>it.cache.nlanr.net</CODE>
for domains uk, de, fr, no, se and it, <CODE>sd.cache.nlanr.net</CODE>
for domains mx, za, mu and zm, and <CODE>cache1.nzgate.net.nz</CODE>
for domains au, aq, fj, and nz.</P>

<H2><A NAME="ss4.2">4.2</A> <A HREF="FAQ.html#toc4.2">How do I join NLANR's cache hierarchy?</A>
</H2>

<P>We have a simple set of
<A HREF="http://www.ircache.net/Cache/joining.html">guidelines for joining</A>
the NLANR cache hierarchy.</P>

<H2><A NAME="ss4.3">4.3</A> <A HREF="FAQ.html#toc4.3">Why should I want to join NLANR's cache hierarchy?</A>
</H2>

<P>The NLANR hierarchy can provide you with an initial source for parent or
sibling caches.  Joining the NLANR global cache system will frequently
improve the performance of your caching service.</P>

<H2><A NAME="ss4.4">4.4</A> <A HREF="FAQ.html#toc4.4">How do I register my cache with NLANR's registration service?</A>
</H2>

<P>Just enable these options in your <EM>squid.conf</EM> and you'll be
registered:
<PRE>
        cache_announce 24
        announce_to sd.cache.nlanr.net:3131
</PRE>
</P>
<P><EM>NOTE:</EM> announcing your cache <B>is not</B> the same thing as
joining the NLANR cache hierarchy.
You can join the NLANR cache hierarchy without registering, and
you can register without joining the NLANR cache hierarchy.</P>


<H2><A NAME="ss4.5">4.5</A> <A HREF="FAQ.html#toc4.5">How do I find other caches close to me and arrange parent/child/sibling relationships with them?</A>
</H2>

<P>Visit the NLANR cache
<A HREF="http://www.ircache.net/Cache/Tracker/">registration database</A>
to discover other caches near you.  Keep in mind that just because
a cache is registered in the database <B>does not</B> mean they
are willing to be your parent/sibling/child.  But it can't hurt to ask...</P>


<H2><A NAME="ss4.6">4.6</A> <A HREF="FAQ.html#toc4.6">My cache registration is not appearing in the Tracker database.</A>
</H2>

<P>
<UL>
<LI>Your site will not be listed if your cache IP address does not have
a DNS PTR record. If we can't map the IP address back to a domain
name, it will be listed as ``Unknown.''</LI>
<LI>The registration messages are sent with UDP. We may not be receiving
your announcement message due to firewalls which block UDP, or
dropped packets due to congestion.</LI>
</UL>
</P>

<H2><A NAME="ss4.7">4.7</A> <A HREF="FAQ.html#toc4.7">What is the httpd-accelerator mode?</A>
</H2>

<P>This entry has been moved to 
<A HREF="FAQ-20.html#what-is-httpd-accelerator">a different section</A>.</P>

<H2><A NAME="ss4.8">4.8</A> <A HREF="FAQ.html#toc4.8">How do I configure Squid to work behind a firewall?</A>
</H2>

<P><EM>Note: The information here is current for version 2.2.</EM></P>

<P>If you are behind a firewall then you can't make direct connections
to the outside world, so you <B>must</B> use a
parent cache. Normally Squid tries to be smart and only uses cache peers
when it makes sense from a perspective of global hit ratio, and thus you
need to tell Squid when it can not go direct and <B>must</B> use a parent
proxy even if it knows the request will be a cache miss.</P>

<P>You can use the <CODE>never_direct</CODE> access list in
<EM>squid.conf</EM> to specify which requests must be forwarded to
your parent cache outside the firewall, and the <CODE>always_direct</CODE> access list
to specify which requests must not be forwarded.  For example, if Squid
must connect directly to all servers that end with <EM>mydomain.com</EM>, but
must use the parent for all others, you would write:
<PRE>
        acl INSIDE dstdomain .mydomain.com
        always_direct allow INSIDE
        never_direct allow all
</PRE>
</P>

<P>You could also specify internal servers by IP address
<PRE>
        acl INSIDE_IP dst 1.2.3.0/24
        always_direct allow INSIDE_IP
        never_direct allow all
</PRE>

Note, however that when you use IP addresses, Squid must
perform a DNS lookup to convert URL hostnames to an
address.  Your internal DNS servers may not be able to
lookup external domains.</P>

<P>If you use <EM>never_direct</EM> and you have multiple parent caches,
then you probably will want to mark one of them as a default
choice in case Squid can't decide which one to use.  That is
done with the <EM>default</EM> keyword on a <EM>cache_peer</EM>
line.  For example:
<PRE>
        cache_peer xyz.mydomain.com parent 3128 0 default
</PRE>
</P>

<H2><A NAME="ss4.9">4.9</A> <A HREF="FAQ.html#toc4.9">How do I configure Squid forward all requests to another proxy?</A>
</H2>

<P><EM>Note: The information here is current for version 2.2.</EM></P>
<P>First, you need to give Squid a parent cache.  Second, you need
to tell Squid it can not connect directly to origin servers.  This is done
with three configuration file lines:
<PRE>
        cache_peer parentcache.foo.com parent 3128 0 no-query default
        acl all src 0.0.0.0/0.0.0.0
        never_direct allow all
</PRE>

Note, with this configuration, if the parent cache fails or becomes
unreachable, then every request will result in an error message.</P>

<P>In case you want to be able to use direct connections when all the
parents go down you should use a different approach:
<PRE>
        cache_peer parentcache.foo.com parent 3128 0 no-query
        prefer_direct off
</PRE>

The default behaviour of Squid in the absence of positive ICP, HTCP, etc
replies is to connect to the origin server instead of using parents.
The <EM>prefer_direct off</EM> directive tells Squid to try parents first.</P>

<H2><A NAME="ss4.10">4.10</A> <A HREF="FAQ.html#toc4.10">I have <EM>dnsserver</EM> processes that aren't being used, should I lower the number in <EM>squid.conf</EM>?</A>
</H2>

<P>The <EM>dnsserver</EM> processes are used by <EM>squid</EM> because the <CODE>gethostbyname(3)</CODE> library routines used to
convert web sites names to their internet addresses
blocks until the function returns (i.e., the process that calls
it has to wait for a reply). Since there is only one <EM>squid</EM>
process, everyone who uses the cache would have to wait each
time the routine was called.  This is why the <EM>dnsserver</EM> is
a separate process, so that these processes can block,
without causing blocking in <EM>squid</EM>.</P>

<P>It's very important that there are enough <EM>dnsserver</EM>
processes to cope with every access you will need, otherwise
<EM>squid</EM> will stop occasionally.  A good rule of thumb is to
make sure you have at least the maximum number of dnsservers
<EM>squid</EM> has <B>ever</B> needed on your system,
and probably add two to be on the safe side. In other words, if
you have only ever seen at most three <EM>dnsserver</EM> processes
in use, make at least five.  Remember that a <EM>dnsserver</EM> is
small and, if unused, will be swapped out.</P>

<H2><A NAME="ss4.11">4.11</A> <A HREF="FAQ.html#toc4.11">My <EM>dnsserver</EM> average/median service time seems high, how can I reduce it?</A>
</H2>

<P>First, find out if you have enough <EM>dnsserver</EM> processes running by
looking at the Cachemanager <EM>dns</EM> output.  Ideally, you should see
that the first <EM>dnsserver</EM> handles a lot of requests, the second one
less than the first, etc.  The last <EM>dnsserver</EM> should have serviced
relatively few requests.  If there is not an obvious decreasing trend, then
you need to increase the number of <EM>dns_children</EM> in the configuration
file.  If the last <EM>dnsserver</EM> has zero requests, then you definately
have enough.</P>

<P>Another factor which affects the <EM>dnsserver</EM> service time is the
proximity of your DNS resolver.  Normally we do not recommend running
Squid and <EM>named</EM> on the same host.  Instead you should try use a
DNS resolver (<EM>named</EM>) on a different host, but on the same LAN.
If your DNS traffic must pass through one or more routers, this could
be causing unnecessary delays.</P>

<H2><A NAME="ss4.12">4.12</A> <A HREF="FAQ.html#toc4.12">How can I easily change the default HTTP port?</A>
</H2>

<P>Before you run the configure script, simply set the <EM>CACHE_HTTP_PORT</EM>
environment variable.
<PRE>
        setenv CACHE_HTTP_PORT 8080
        ./configure
        make
        make install
</PRE>
</P>

<H2><A NAME="ss4.13">4.13</A> <A HREF="FAQ.html#toc4.13">Is it possible to control how big each <EM>cache_dir</EM> is?</A>
</H2>

<P>With Squid-1.1 it is NOT possible.  Each <EM>cache_dir</EM> is assumed
to be the same size.  The <EM>cache_swap</EM> setting defines the size of
all <EM>cache_dir</EM>'s taken together.  If you have N <EM>cache_dir</EM>'s
then each one will hold <EM>cache_swap</EM> &divide; N Megabytes.</P>

<H2><A NAME="ss4.14">4.14</A> <A HREF="FAQ.html#toc4.14">What <EM>cache_dir</EM> size should I use?</A>
</H2>

<P>Most people have a disk partition dedicated to the Squid cache.
You don't want to use the entire partition size.  You have to leave
some extra room.  Currently, Squid is not very tolerant of running
out of disk space. </P>
<P>Lets say you have a 9GB disk.
Remember that disk manufacturers lie about the space available.
A so-called 9GB disk usually results in about 8.5GB of raw, usable space.
First, put a filesystem on it, and mount
it.  Then check the ``available space'' with your <EM>df</EM> program.
Note that you lose some disk space to filesystem overheads, like superblocks,
inodes, and directory entries.  Also note that Unix normally keeps
10% free for itself.   So with a 9GB disk, you're probably down to
about 8GB after formatting.</P>

<P>Next, I suggest taking off another 10%
or so for Squid overheads, and a "safe buffer."  Squid normally puts
its <EM>swap.state</EM> files in each cache directory.  These grow in size
until you rotate the logs, or restart squid.
Also note that Squid performs better when there is
more free space.  So if performance is important to you, then take off
even more space.  Typically, for a 9GB disk, I recommend a <EM>cache_dir</EM>
setting of 6000 to 7500 Megabytes:
<PRE>
cache_dir ... 7000 16 256
</PRE>
</P>

<P>Its better to start out conservative.  After the cache becomes full,
look at the disk usage.  If you think there is plenty of unused space,
then increase the <EM>cache_dir</EM> setting a little.</P>

<P>If you're getting ``disk full'' write errors, then you definately need
to decrease your cache size.</P>

<H2><A NAME="ss4.15">4.15</A> <A HREF="FAQ.html#toc4.15">I'm adding a new <EM>cache_dir</EM>.  Will I lose my cache?</A>
</H2>

<P>With Squid-1.1, yes, you will lose your cache.  This is because
version 1.1 uses a simplistic algorithm to distribute files
between cache directories.</P>

<P>With Squid-2, you will not lose your existing cache.
You can add and delete <EM>cache_dir</EM>'s without affecting
any of the others.</P>

<H2><A NAME="ss4.16">4.16</A> <A HREF="FAQ.html#toc4.16">Squid and <EM>http-gw</EM> from the TIS toolkit.</A>
</H2>

<P>Several people on both the <EM>fwtk-users</EM> and the
<EM>squid-users</EM> mailing asked
about using Squid in combination with http-gw from the
<A HREF="http://www.tis.com/">TIS toolkit</A>.
The most elegant way in my opinion is to run an internal Squid caching
proxyserver which handles client requests and let this server forward
it's requests to the http-gw running on the firewall. Cache hits won't
need to be handled by the firewall.</P>

<P>In this example Squid runs on the same server as the http-gw, Squid uses
8000 and http-gw uses 8080 (web).  The local domain is <EM>home.nl</EM>.</P>

<H3>Firewall configuration:</H3>

<P>Either run http-gw as a daemon from the <EM>/etc/rc.d/rc.local</EM> (Linux
Slackware):
<PRE>
        exec /usr/local/fwtk/http-gw -daemon 8080
</PRE>

or run it from inetd like this:
<PRE>
        web stream      tcp      nowait.100  root /usr/local/fwtk/http-gw http-gw
</PRE>

I increased the watermark to 100 because a lot of people run into
problems with the default value.</P>

<P>Make sure you have at least the following line in
<EM>/usr/local/etc/netperm-table</EM>:
<PRE>
        http-gw:        hosts 127.0.0.1
</PRE>

You could add the IP-address of your own workstation to this rule and
make sure the http-gw by itself works, like:
<PRE>
        http-gw:                hosts 127.0.0.1 10.0.0.1
</PRE>
</P>

<H3>Squid configuration:</H3>

<P>The following settings are important:</P>
<P>
<PRE>
        http_port       8000
        icp_port        0

        cache_peer      localhost.home.nl parent 8080 0 default
        acl HOME        dstdomain .home.nl
        alwayws_direct  allow HOME
        never_direct    allow all
</PRE>

This tells Squid to use the parent for all domains other than <EM>home.nl</EM>.
Below, <EM>access.log</EM> entries show what happens if you do a reload on the
Squid-homepage:</P>
<P>
<PRE>
872739961.631   1566 10.0.0.21 ERR_CLIENT_ABORT/304 83 GET http://www.squid-cache.org/ - DEFAULT_PARENT/localhost.home.nl -
872739962.976   1266 10.0.0.21 TCP_CLIENT_REFRESH/304 88 GET http://www.nlanr.net/Images/cache_now.gif - DEFAULT_PARENT/localhost.home.nl -
872739963.007   1299 10.0.0.21 ERR_CLIENT_ABORT/304 83 GET http://www.squid-cache.org/Icons/squidnow.gif - DEFAULT_PARENT/localhost.home.nl -
872739963.061   1354 10.0.0.21 TCP_CLIENT_REFRESH/304 83 GET http://www.squid-cache.org/Icons/Squidlogo2.gif - DEFAULT_PARENT/localhost.home.nl
</PRE>
</P>

<P>http-gw entries in syslog:</P>
<P>
<PRE>
Aug 28 02:46:00 memo http-gw[2052]: permit host=localhost/127.0.0.1 use of gateway (V2.0beta)
Aug 28 02:46:00 memo http-gw[2052]: log host=localhost/127.0.0.1 protocol=HTTP cmd=dir dest=www.squid-cache.org path=/
Aug 28 02:46:01 memo http-gw[2052]: exit host=localhost/127.0.0.1 cmds=1 in=0 out=0 user=unauth duration=1
Aug 28 02:46:01 memo http-gw[2053]: permit host=localhost/127.0.0.1 use of gateway (V2.0beta)
Aug 28 02:46:01 memo http-gw[2053]: log host=localhost/127.0.0.1 protocol=HTTP cmd=get dest=www.squid-cache.org path=/Icons/Squidlogo2.gif
Aug 28 02:46:01 memo http-gw[2054]: permit host=localhost/127.0.0.1 use of gateway (V2.0beta)
Aug 28 02:46:01 memo http-gw[2054]: log host=localhost/127.0.0.1 protocol=HTTP cmd=get dest=www.squid-cache.org path=/Icons/squidnow.gif
Aug 28 02:46:01 memo http-gw[2055]: permit host=localhost/127.0.0.1 use of gateway (V2.0beta)
Aug 28 02:46:01 memo http-gw[2055]: log host=localhost/127.0.0.1 protocol=HTTP cmd=get dest=www.nlanr.net path=/Images/cache_now.gif
Aug 28 02:46:02 memo http-gw[2055]: exit host=localhost/127.0.0.1 cmds=1 in=0 out=0 user=unauth duration=1
Aug 28 02:46:03 memo http-gw[2053]: exit host=localhost/127.0.0.1 cmds=1 in=0 out=0 user=unauth duration=2
Aug 28 02:46:04 memo http-gw[2054]: exit host=localhost/127.0.0.1 cmds=1 in=0 out=0 user=unauth duration=3
</PRE>
</P>


<P>To summarize:</P>

<P>Advantages:
<UL>
<LI>http-gw allows you to selectively block ActiveX and Java, and it's
primary design goal is security.</LI>
<LI>The firewall doesn't need to run large applications like Squid.</LI>
<LI>The internal Squid-server still gives you the benefit of caching.</LI>
</UL>
</P>

<P>Disadvantages:
<UL>
<LI>The internal Squid proxyserver can't (and shouldn't) work with other
parent or neighbor caches.</LI>
<LI>Initial requests are slower because these go through http-gw, http-gw
also does reverse lookups. Run a nameserver on the firewall or use an
internal nameserver.</LI>
</UL>
</P>

<P>
<BLOCKQUOTE>
--
<A HREF="mailto:RvdOever@baan.nl">Rodney van den Oever</A></BLOCKQUOTE>
</P>


<H2><A NAME="ss4.17">4.17</A> <A HREF="FAQ.html#toc4.17">What is ``HTTP_X_FORWARDED_FOR''?  Why does squid provide it to WWW servers, and how can I stop it?</A>
</H2>

<P>When a proxy-cache is used, a server does not see the connection
coming from the originating client.  Many people like to implement
access controls based on the client address.
To accommodate these people, Squid adds its own request header
called "X-Forwarded-For" which looks like this:
<PRE>
        X-Forwarded-For: 128.138.243.150, unknown, 192.52.106.30
</PRE>

Entries are always IP addresses, or the word <EM>unknown</EM> if the address
could not be determined or if it has been disabled with the
<EM>forwarded_for</EM> configuration option.</P>

<P>We must note that access controls based on this header are extremely
weak and simple to fake.  Anyone may hand-enter a request with any IP
address whatsoever.  This is perhaps the reason why client IP addresses
have been omitted from the HTTP/1.1 specification.</P>

<P>Because of the weakness of this header, support for access controls based
on X-Forwarder-For is not yet available in any officially released version of
squid.  However, unofficial patches are available from the 
<A HREF="http://devel.squid-cache.org/follow_xff/index.html">follow_xff</A>
Squid development project and may be integrated into later versions of Squid
once a suitable trust model have been developed.</P>

<H2><A NAME="ss4.18">4.18</A> <A HREF="FAQ.html#toc4.18">Can Squid anonymize HTTP requests?</A>
</H2>

<P>Yes it can, however the way of doing it has changed from earlier versions
of squid. As of squid-2.2 a more customisable method has been introduced.
Please follow the instructions for the version of squid that you are using.
As a default, no anonymizing is done.</P>

<P>If you choose to use the anonymizer you might wish to investigate the forwarded_for
option to prevent the client address being disclosed. Failure to turn off the
forwarded_for option will reduce the effectiveness of the anonymizer. Finally
if you filter the User-Agent header using the fake_user_agent option can
prevent some user problems as some sites require the User-Agent header.</P>

<H3>Squid 2.2</H3>

<P>With the introduction of squid 2.2 the anonoymizer has become more customisable.
It now allows specification of exactly which headers will be allowed to pass.
This is further extended in Squid-2.5 to allow headers to be anonymized conditionally.</P>

<P>For details see the documentation of the http_header_access and header_replace
directives in squid.conf.default.</P>

<P>References:
<A HREF="http://www.iks-jena.de/mitarb/lutz/anon/web.en.html">Anonymous WWW</A></P>


<H2><A NAME="ss4.19">4.19</A> <A HREF="FAQ.html#toc4.19">Can I make Squid go direct for some sites?</A>
</H2>

<P>Sure, just use the <EM>always_direct</EM> access list.</P>
<P>For example, if you want Squid to connect directly to <EM>hotmail.com</EM> servers,
you can use these lines in  your config file:
<PRE>
acl hotmail dstdomain .hotmail.com
always_direct allow hotmail
</PRE>
</P>

<H2><A NAME="ss4.20">4.20</A> <A HREF="FAQ.html#toc4.20">Can I make Squid proxy only, without caching anything?</A>
</H2>

<P>Sure, there are few things you can do.</P>
<P>You can use the <EM>no_cache</EM> access list to make Squid never cache any response:
<PRE>
        acl all src 0/0
        no_cache deny all
</PRE>
</P>
<P>With Squid-2.4 and later you can use the ``null'' storage module to avoid
having a cache directory:
<PRE>
        cache_dir null /tmp
</PRE>
</P>

<P>Note: a null cache_dir does not disable caching, but it does save you from
creating a cache structure if you have disabled caching with no_cache.</P>

<P>Note: the directory (e.g., <EM>/tmp</EM>) must exist so that squid
can chdir to it, unless you also use the <EM>coredump_dir</EM> option.</P>
<P>To configure Squid for the ``null'' storage module, specify it
on the <EM>configure</EM> command line:
<PRE>
        ./configure --enable-storeio=ufs,null ...
</PRE>
</P>

<H2><A NAME="ss4.21">4.21</A> <A HREF="FAQ.html#toc4.21">Can I prevent users from downloading large files?</A>
</H2>

<P>You can set the global <EM>reply_body_max_size</EM> parameter.  This option
controls the largest HTTP message body that will be sent to a cache
client for one request.</P>
<P>If the HTTP response coming from the server has a <CODE>Content-length</CODE>
header, then Squid compares the content-length value to the
<EM>reply_body_max_size</EM> value.  If the content-length is larger,
the server connection is closed and the user receives an error
message from Squid.</P>
<P>Some responses don't have <CODE>Content-length</CODE>
headers.  In this case, Squid counts how many bytes are written
to the client.  Once the limit is reached, the client's connection
is simply closed.</P>
<P>Note that ``creative'' user-agents will still be able to download
really large files through the cache using HTTP/1.1 range requests.</P>


<HR>
<A HREF="FAQ-5.html">Next</A>
<A HREF="FAQ-3.html">Previous</A>
<A HREF="FAQ.html#toc4">Contents</A>
</BODY>
</HTML>