Unbelieveable hit ratio ! Please help me

From: Tran Minh <[email protected]>
Date: Sun, 11 Jan 1998 22:57:51 PST

Hello,
I'm runing Squid 1.1.14 as a transparent proxy/cache server on a Linux
box.
I have about 16 dial-up lines and 20 LAN users. I don't know why my
Squid hit ratio is too low (request: 6%; bytes: 3%). So, I would
appreciate are any recommendation so as I could improve the hit rate
please send mail to ttminh@hotmail.com.
Thanks.
Squid proxy configuration:

Hardware: Compaq Proliant 1500
          32 MB RAM
          2 GB Hardisk (900 MB for cache)
          Network card: 3C509

Software: Linux kernel version 2.0.0
          Squid 1.1.14
          Ip firewall (for transparent proxing)

Squid.conf files:

# Generated automatically from squid.conf.pre.in by configure.
#
# $Id: squid.conf.pre.in,v 1.93.2.12 1997/07/09 16:47:59 wessels Exp $
#

# TAG: http_port
# The port number where squid will listen for HTTP client
# requests. Default is 3128, for httpd-accel mode use port 80.
# May be overridden with -a on the command line.
#
#http_port 3128
http_port 8081

# TAG: icp_port
# The port number where squid send and receive ICP requests to
# and from neighbor caches. Default is 3130. To disable use
# "0". May be overridden with -u on the command line.
#
icp_port 3130
#icp_port 0

# TAG: mcast_groups
# This tag specifies a list of multicast groups which your
# server should join to receive multicasted ICP requests.
#
# NOTE! Be very careful what you put here! Be sure you
# understand the difference between an ICP _query_ and an ICP
# _reply_. This option is to be set only if you want to RECEIVE
# multicast queries. Do NOT set this option to SEND multicast
# ICP (use cache_host for that). ICP replies are always sent via
# unicast, so this option does not affect whether or not you will
# receive replies from multicast group members.
#
# You must be very careful to NOT use a multicast address which
# is already in use by another group of caches. NLANR has been
# assigned a block of multicast address space for use in Web
# Caching. Plese write to us at nlanr-cache@nlanr.net to receive
# an address for your own use.
#
# Usage: mcast_groups 239.128.16.128 224.0.1.20
#
# By default, squid doesn't listen on any multicast groups.
#
#mcast_groups 239.128.16.128

# TAG: tcp_incoming_address
# TAG: tcp_outgoing_address
# TAG: udp_incoming_address
# TAG: udp_outgoing_address
#
# Usage: tcp_incoming_address 10.20.30.40
# udp_outgoing_address fully.qualified.domain.name
#
# These tags have replaced 'bind_address' and 'outbound_address'
# to provide more control for multihomed hosts.
#
# tcp_incoming_address is used for the HTTP socket which accepts
# connections from clients and other caches.
# tcp_outgoing_address is used for connections made to remote
# servers and other caches.
# udp_incoming_address is used for the ICP socket receiving packets
# from other caches.
# udp_outgoing_address is used for ICP packets sent out to other
# caches.
#
# The defaults behaviour is to not bind to any specific address.
#
# NOTE, udp_incoming_address and udp_outgoing_address can not have
# the same value since they both use port 3130.
#
#tcp_incoming_address 203.160.0.18
#tcp_outgoing_address 203.160.0.18
#udp_incoming_address 0.0.0.0
#udp_outgoing_address 0.0.0.0

# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
#-----------------------------------------------------------------------------

# TAG: cache_host
# To specify other caches in a hierarchy, use the format:
#
# hostname type http_port icp_port
#
# For example,
#
# # proxy icp
# # hostname type port port options
# # -------------------- -------- ----- ----- -----------
# cache_host bigserver.usc.edu parent 3128 3130 [proxy-only]
# cache_host littleguy1.usc.edu sibling 3128 3130 [proxy-only]
# cache_host littleguy1.usc.edu sibling 3128 3130 [proxy-only]
#
# type: either 'parent', 'sibling', or 'multicast'.
#
# proxy_port: The port number where the cache listens for proxy
# requests.
#
# icp_port: Used for querying neighbor caches about
# objects. To have a non-ICP neighbor
# specify '7' for the ICP port and make sure the
# neighbor machine has the UDP echo port
# enabled in its /etc/inetd.conf file.
#
# options: proxy-only
# weight=n
# ttl=n
# no-query
# default
# round-robin
# multicast-responder
#
# use 'proxy-only' to specify that objects fetched
# from this cache should not be saved locally.
#
# use 'weight=n' to specify a weighted parent.
# The weight must be an integer. The default weight
# is 1, larger weights are favored more.
#
# use 'ttl=n' to specify a IP multicast TTL to use
# when sending an ICP request to this address.
# Only useful when sending to a multicast group.
# Because we don't accept ICP replies from random
# hosts, you must configure other group members as
# peers with the 'multicast-responder' option below.
#
# use 'no-query' to NOT send ICP queries to this
# neighbor.
#
# use 'default' if this is a parent cache which can
# be used as a "last-resort." You should probably
# only use 'default' in situations where you cannot
# use ICP with your parent cache(s).
#
# use 'round-robin' to define a set of parents which
# should be used in a round-robin fashion in the
# absence of any ICP queries.
#
# 'multicast-responder' indicates that the named peer
# is a member of a multicast group. ICP queries will
# not be sent directly to the peer, but ICP replies
# will be accepted from it.
#
# NOTE: non-ICP neighbors must be specified as 'parent'.
#
#cache_host 203.160.0.18 parent 80 7

#cache_host 203.160.0.37 parent 8081 3130 proxy-only
#cache_host 203.160.0.11 sibling 8081 3130 proxy-only

# TAG: cache_host_domain
# Use to limit the domains for which a neighbor cache will be queried.
# Usage:
#
# cache_host_domain cache-host domain [domain ...]
# cache_host_domain cache-host !domain
#
# For example, specifying
#
# cache_host_domain bigserver.usc.edu .edu
#
# has the effect such that UDP query packets are sent to
# 'bigserver' only when the requested object exists on a
# server in the .edu domain. Prefixing the domainname
# with '!' means that the cache will be queried for objects
# NOT in that domain.
#
# NOTE: * Any number of domains may be given for a cache-host,
# either on the same or separate lines.
# * When multiple domains are given for a particular
# cache-host, the first matched domain is applied.
# * Cache hosts with no domain restrictions are queried
# for all requests.
# * There are no defaults.
# * There is also a 'cache_host_acl' tag in the ACL
# section.

# TAG: neighbor_type_domain
#
# usage: neighbor_type_domain parent|sibling domain domain ...
#
# Modifying the neighbor type for specific domains is now
# possible. You can treat some domains differently than the the
# default neighbor type specified on the 'cache_host' line.
# Normally it should only be necessary to list domains which
# should be treated differently because the default neighbor type
# applies for hostnames which do not match domains listed here.
#
#EXAMPLE:
# cache_host parent cache.foo.org 3128 3130
# neighbor_type_domain cache.foo.org sibling .com .net
# neighbor_type_domain cache.foo.org sibling .au .de

# TAG: inside_firewall
# This tag specifies a list of domains inside your Internet
# firewall.
#
# Usage: inside_firewall my.domain [ my.other.domain ...]
# !out.my.domain my.domain
#
# The use of this tag affects the server selection algorithm in
# two ways. Objects which do not match any of the listed domains
# will be considered "beyond the firewall." For these:
# - There will be no DNS lookups for the URL-host.
# - The object will always be fetched from one of
# the parent or neighbor caches.
#
# As a special case you may specify the domain as 'none' to force
# all requests to be fetched from neghbors and parents.
# Prefixing a domain name with '!' means the domain is NOT inside
# your firewall.
#
#inside_firewall topsecret.com
#inside_firewall ncst.ac.vn
# TAG: local_domain
# This tag specifies a list of domains local to your organization.
#
# Usage: local_domain my.domain [ my.other.domain ...]
#
# For URLs which are in one of the local domains, the object
# is always fetched directly from the source and never from a
# neighbor or parent.
#
local_domain ncst.ac.vn

# TAG: local_ip
# This tag specifies a list of network addresses local to your
# organization.
#
# Usage: local_ip ip-address
#
# This tag is similar to local_domain, except that the IP-address
# of the URL-host is checked. This requires that a DNS lookup
# be done on the URL-host. For this reason, local_domain is
# preferred over local_ip. By using local_domain it may be
# possible to avoid the DNS lookup altogether and deliver the
# object with less delay.
#
#local_ip 10.0.0.0
#local_ip 203.160.0.10
local_ip 203.160.0.11
local_ip 203.160.0.37
#local_ip 203.162.7.94
local_ip 203.160.0.39
local_ip 203.160.0.32
local_ip 203.160.0.110
local_ip 203.160.0.9
local_ip 203.162.7.79
local_ip 203.162.7.89

# TAG: firewall_ip
#
# Just like 'inside_firewall' but for IP addresses. NOTE:
# firewall_ip and local_ip are mutually exclusive. If you
# use firewall_ip then local_ip will be ignored.
#
#firewall_ip 10.0.0.0
#firewall_ip 172.16.0.0

# TAG: single_parent_bypass
# This tag specifies that it is okay to bypass the hierarchy
# "Pinging" when there is only a single parent for a given URL.
#
# Usage: single_parent_bypass on|off
#
# Before actually sending ICP "ping" packets to parents and
# neighbors, we figure out which hosts would be pinged based
# on the cache_host_domain rules, etc. Often it may be the
# case that only a single parent cache would be pinged.
#
# Since there is only a single parent, there is a very good
# chance that we will end up fetching the object from that
# parent. For this reason, it may be beneficial to avoid
# the ping and just fetch the object anyway.
#
# However, if we avoid the ping, we will be assuming that the
# parent host is reachable and that the cache process is running.
# By using the ping, we can be reasonably sure that the parent
# host will be able to handle our request. If the ping fails then
# it may be possible to fetch the object directly from the source.
#
# To favor the resiliency provided by the ping algorithm,
# single_parent_bypass is 'off' by default.
#
#single_parent_bypass off

# TAG: source_ping
# If source_ping is enabled, then squid will include the source
# provider site in its selection algorithm. This is accomplished
# by sending ICP "HIT" packets to the UDP echo port of the source
# host. Note that using source_ping may send a fair amount of UDP
# traffic out on the Internet and may irritate paranoid network
# administrators.
#
# Note that source_ping is incompatible with inside_firewall.
# For hosts beyond the firewall, source_ping packets will never
# be sent.
#
# By default, source_ping is off.
#
#source_ping off

# TAG: neighbor_timeout (seconds)
# This controls how long to wait for replies from neighbor caches.
# If none of the parent or neighbor caches reply before this many
# seconds (due to dropped packets or slow links), then the object
# request will be satisfied from the default source. The default
# timeout is two seconds.
#
#neighbor_timeout 2

# TAG: hierarchy_stoplist
# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times.
#
# The default is to directly fetch URLs containing 'cgi-bin' or '?'.
#
hierarchy_stoplist cgi-bin ?

# TAG: cache_stoplist
# A list of words which, if found in a URL, cause the object to
# immediately removed from the cache. In other words, use this
# to force certain objects to never be cached. You may list this
# option multiple times.
#
# The default is to not cache URLs containing 'cgi-bin' or '?'.
#
cache_stoplist cgi-bin ?

# TAG: cache_stoplist_pattern # case sensitive
# TAG: cache_stoplist_pattern/i # case insensitive
#
# Just like 'cache_stoplist' but you can use regular expressions
# instead of simple string matching. There is no default.
#
#cache_stoplist_pattern

# OPTIONS WHICH AFFECT THE CACHE SIZE
#-----------------------------------------------------------------------------

#
# TAG: cache_mem (megabytes)
# Maximum amout of VM used to store objects in memory.
# This includes:
# in-transit objects,
# negative-cached objects,
# "hot" objects
# The value of cache_mem is an upper limit on the size of the
# "in-memory object data" pool. This is a pool of 4k pages used
# to hold object data.
#
# In-transit objects have priority over the others. When
# additional space is needed for incoming data, negative-cached
# and hot objects will be released. In other words, the
# negative-cached and hot objects will fill up any unused space
# not needed for in-transit objects.
#
# The values of cache_mem_low and cache_mem_high (below) can be
# used to tune the use of the memory pool. When the high mark is
# reached, in-transit and hot objects will be released to clear
# space. When an object transfer is completed, it will remain in
# memory only if the current memory usage is below the low water
# mark.
#
# The default is 8 Megabytes.
#
cache_mem 12

# TAG: cache_swap (megabytes)
# Maximum about of disk space used by the cache. The default is
# 100 megabytes. When the disk usage gets to this size, the cache
# uses LRU replacement to evict objects as new objects are cached.
# Note that cache_swap is set to:
# max(cache_mem, cache_swap_specified)
# to guard against users' accidentally specifying a smaller
# cache_swap than cache_mem size.
#
cache_swap 900

# TAG: cache_swap_low (percent, 0-100)
# TAG: cache_swap_high (percent, 0-100)
# The low- and high-water marks for cache LRU replacement.
# LRU replacement begins when the high-water mark is reached
# and ends when enough objects have been removed and the low-water
# mark is reached. Defaults are 90% and 95%.
#
cache_swap_low 90
cache_swap_high 95

# TAG: cache_mem_low (percent, 0-100)
# TAG: cache_mem_high (percent, 0-100)
# The low- and high-water mark for cache memory storage. When
# the amount of RAM used by the hot-object RAM cache reaches this
# point, the cache starts throwing objects out of the RAM cache
# (but they remain on disk). Defaults are 75% and 90%.
#
cache_mem_low 75
cache_mem_high 90

# TAG: maximum_object_size
# Objects larger than this size will NOT be saved on disk. The
# value is specified in kilobytes, and the default is 4MB.
#
maximum_object_size 4096

# TAG: ipcache_size (number of entries)
# TAG: ipcache_low (percent)
# TAG: ipcache_high (percent)
# The size, low-, and high-water marks for the IP cache.
#
ipcache_size 1024
ipcache_low 90
ipcache_high 95

# LOGFILE PATHNAMES AND CACHE DIRECTORIES
#-----------------------------------------------------------------------------

# TAG: cache_dir
# Directory for on-disk cache storage. The cache will change into
# this directory when running. The default is
# /usr/local/squid/cache.
#
# You can specify multiple cache_dir lines to spread the
# cache among different disk partitions.
#
cache_dir /usr/local/squid/cache
cache_dir /usr/local/squid/cache1

# TAG: cache_access_log
# Logs the client request activity. Contains an entry for
# every HTTP and ICP request received.
#
cache_access_log /usr/local/squid/logs/access.log

# TAG: cache_log
# Cache logging file. Set logging levels with "debug_options" below.
#
cache_log /usr/local/squid/logs/cache.log

# TAG: cache_store_log
# Logs the activities of the storage manager. Shows which
# objects are ejected from the cache, and which objects are
# saved and for how long. To disable, enter "none".
#
cache_store_log /usr/local/squid/logs/store.log

# TAG: cache_swap_log
# Location for the cache "swap log." This log file holds the
# metadata of objects saved on disk. It is used to rebuild the
# cache during startup. Normally this file resides in the first
# 'cache_dir' directory, but you may specify an alternate
# pathname here. Note you must give a full filename, not just
# a directory.
#
#cache_swap_log

# TAG: emulate_httpd_log
# The Cache can emulate the log file format which many 'httpd'
# programs use. To disable/enable this emulation, set
# emulate_httpd_log to 'off' or 'on'. The default
# is to use the native log format.
#
emulate_httpd_log on

# TAG: log_mime_hdrs
# The Cache can record both the request and the response
# MIME headers for each HTTP transaction. The headers are
# encoded safely and will appear as two bracketed fields
# at the end of the access log (for either the native
# or httpd-emulated log formats). To enable this logging
# set log_mime_hdrs to 'on'.
#
# NOTE: support for this may require you to define
# LOG_FULL_HEADERS before compiling.
#
#log_mime_hdrs off

# TAG: useragent_log
# If compiled with "-DUSE_USERAGENT_LOG=1" Squid will write
# the User-Agent field from HTTP requests to the filename
# specified here. By default useragent_log is disabled.
#
#useragent_log none

# TAG: pid_filename
# A pathname to write the process-id to. To disable, enter
"none".
#
pid_filename /usr/local/squid/logs/squid.pid

# TAG: debug_options
# Logging options are set as section,level where each source file
# is assigned a unique section. Lower levels result in less
# output, Full debugging (level 9) can result in a very large
# log file, so be careful. The magic word "ALL" sets debugging
# levels for all sections. We recommend normally running with
# "ALL,1".
#
debug_options ALL,1
#8,9 20,9 36,9

# TAG: ident_lookup
# If you wish to make an RFC931/ident lookup of the client username
# for each connection, enable this. It is off by default.
#
#ident_lookup off

# TAG: log_fqdn
# Turn this on if you wish to log fully qualified domain names
# in the access.log.
#
#log_fqdn off

# TAG: client_netmask
# A netmask for client addresses in logfiles and cachemgr output.
# Change this to protect the privacy of your cache clients.
#
#client_netmask 255.255.255.0

# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
#-----------------------------------------------------------------------------

# TAG: ftpget_program
# Where to find the 'ftpget' program that retrieves FTP data (HTTP
# and Gopher protocol support are built into the cache).
#
# To disable ftpget and the ability to retrieve FTP objects, set
# this to "none". Note that ftpget is automatically disabled for
# http_accel mode.
#
ftpget_program /usr/local/squid/bin/ftpget

# TAG: ftpget_options
# Options for the 'ftpget' program. Please run 'ftpget' without
# any arguments to see a list of options. The default is
# no options. An example is
#
# ftpget_options -n 60 -R -W
#
#ftpget_options

# If you want the anonymous login password to be more informative
# (and enable the use of picky ftp servers), set this to something
# resonable for your domain, like wwwuser@somewhere.net
#
# The reason why this is domainless by default is that the
# request can be made on the behalf of a user in any domain,
# depending on how the cache is used.
# Some ftp server also validate that the email address is valid
# (for example perl.com).
#
#ftp_user squid@

# TAG: cache_dns_program
# Specify the location of the executable for dnslookup process.
#
cache_dns_program /usr/local/squid/bin/dnsserver
#cache_dns_program /usr/bin/nslookup

# TAG: dns_children
# The number of processes spawn to service DNS name lookups.
# For heavily loaded caches on large servers, you should
# probably increase this value to at least 10. The maximum
# is 32. The default is 5.
#
# To disable dnsservers, set this to 0. NOTE, this is very
# strongly discouraged. If you disable dnsservers your Squid
# process will BLOCK on DNS lookups!
#
dns_children 12

# TAG: dns_defnames
# Normally the 'dnsserver' disables the RES_DEFNAMES resolver
# option (see res_init(3)). This prevents caches in a hierarchy
# from interpreting single-component hostnames locally. To allow
# dnsserver to handle single-component names, enable this
# option.
#
#dns_defnames off

# TAG: unlinkd_program
# Specify the location of the executable for file deletion process.
#
unlinkd_program /usr/local/squid/bin/unlinkd

# TAG: pinger_program
# Specify the location of the executable for the pinger process.
#
pinger_program /usr/local/squid/bin/pinger

# TAG: redirect_program
# Specify the location of the executable for the URL redirector.
# Currently, you must provide your own redirector program.
# See the Release-Notes for how to write one.
# By default, the redirector is not used.
#
#redirect_program /bin/false

# TAG: redirect_children
# The number of redirector processes to spawn.
#
#redirect_children 5

# OPTIONS FOR TUNING THE CACHE
#-----------------------------------------------------------------------------

# TAG: wais_relay
# Relay WAIS request to host (1st arg) at port (2 arg).
#
#wais_relay localhost 8000

# TAG: request_size
# Maximum allowed request size in kilobytes. If people are using
# POST to upload files, then set this to the largest acceptable
# filesize plus a few extra kbytes.
#
request_size 100

# TAG: refresh_pattern # case sensitive
# TAG: refresh_pattern/i # case insensitive
#
# usage: refresh_pattern regex min percent max
#
# min and max are specified in MINUTES.
# percent is an integer number.
#
# Please see the file doc/Release-Notes-1.1.txt for a full
# description of Squid's refresh algorithm. Basically a
# cached object is:
#
# FRESH if age < min
# STALE if expires < now
# STALE if age > max
# FRESH if lm-factor < percent
#
# The refresh_pattern lines are checked in the order listed here.
# The first entry which matches is used. If none of the entries
# match, then the default will be used.
#
#Default:
#refresh_pattern . 0 20% 4320
refresh_pattern/i ^http:// 2880 20% 10080
refresh_pattern/i \.(gif|bmp|jpg|jpeg|xbm|png)$ 2880 20% 10080

# TAG: reference_age
# As a part of normal operation, Squid performs Least Recently
# Used removal of cached objects. The LRU age for removal is
# computed dynamically, based on the amount of disk space in
# use. The 'reference_age' value defines the maximum LRU age.
# For example, setting reference_age to '1 week' will cause
# objects to be removed if they have not been accessed for a week
# or more. If set to zero, LRU removal is disabled, and objects
# will be removed only when disk usage is over the high water
# mark. The default value is one year.
#
# Specify a number here, followed by units of time. For example:
# 1 week
# 3.5 days
# 4 months
# 2.2 hours
#
reference_age 6 months

# TAG: quick_abort
# By default the cache continues to retrieve objects from
# aborted requests. This may be undesirable on slow (e.g. SLIP)
# links and/or very busy caches. Impatient users may tie up
# file descriptors by repeatedly aborting and re-requesting
# non-cachable objects.
#
# Usage: quick_abort min-kbytes percent max-kbytes
#
# When the user aborts a request, Squid will check the
# quick_abort values to the amount of data transfered until
# then.
#
# If the transfer has less than 'min-kbytes' remaining, it
# will finish the retrieval. Setting minlength to -1 will
# disable the quick_abort feature.
#
# If the transfer has more than 'max-kbytes' remaining, it
# will abort the retrieval.
#
# If more than 'percent' of the transfer has completed, it will
# finish the retrieval.
#
quick_abort 10 90 50

# TAG: negative_ttl (minutes)
# Time-to-Live (TTL) for failed requests. Certain types of
# failures (such as "connection refused" and "404 Not Found") are
# negatively-cached for a small amount of time. The default is 5
# minutes. Note that this is different from negative caching of
# DNS lookups.
#
negative_ttl 2

#
# TAG: positive_dns_ttl (minutes)
# Time-to-Live (TTL) for positive caching of successful DNS lookups.
# Default is 6 hours (360 minutes). If you want to minimize the
# use of Squid's ipcache, set this to 1, not 0.
#
positive_dns_ttl 360

# TAG: negative_dns_ttl (minutes)
# Time-to-Live (TTL) for negative caching of failed DNS lookups.
#
negative_dns_ttl 2

# TIMEOUTS
#-----------------------------------------------------------------------------

# TAG: connect_timeout (seconds)
# Some systems (notably Linux) can not be relied upon to properly
# time out connect(2) requests. Therefore the squid process
# enforces its own timeout on server connections. This parameter
# specifies how long to wait for the connect to complete. The
# default is two minutes (120 seconds).
#
connect_timeout 120

# TAG: read_timeout (minutes)
# An active connection will be aborted after read_timeout minutes
# of no activity on that connection (i.e., assume the remote server
# or network connection died after the connection was established).
# The default is 15 minutes.
#
read_timeout 15

# TAG: client_lifetime (minutes)
# The maximum amount of time that a client (browser) is allowed to
# remain connected to the cache process. This protects the Cache
# from having alot of sockets (and hence file descriptors) tied up
# in a CLOSE_WAIT state from remote clients that go away without
# properly shutting down (either because of a network failure or
# because of a poor client implementation). The default is three
# hours, 20 minutes.
#
# NOTE: The default value is designed with low-speed client
# connections in mind. 200 minutes should be plenty of time to
# transfer a 10M file at 1k/sec. If you have high-speed client
# connectivity, or occasionally run out of file descriptors,
# we suggest you lower this value appropriately.
#
client_lifetime 300

# TAG: shutdown_lifetime (seconds)
#
# When SIGTERM or SIGHUP is received, the cache is put into
# "shutdown pending" mode until all active sockets are closed.
# This value is the lifetime to set for all open descriptors
# during shutdown mode. Any active clients after this many
# seconds will receive a 'lifetime expire' message
#
shutdown_lifetime 600

# ACCESS CONTROLS
#-----------------------------------------------------------------------------

# Defining an Access List
#
# acl aclname acltype string1 ...
# acl aclname acltype "file" ...
#
# when using "file", the file should contain one item per line
#
# acltype is one of src dst srcdomain dstdomain url_pattern
urlpath_pattern
# time port proto method browser user
#
# acl aclname src ip-address/netmask ... (clients IP address)
# acl aclname src addr1-addr2/netmask ... (range of addresses)
# acl aclname dst ip-address/netmask ... (URL host's IP address)
# acl aclname srcdomain foo.com ... (taken from reverse DNS lookup)
# acl aclname dstdomain foo.com ... (taken from the URL)
# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# day-abbrevs:
# S - Sunday
# M - Monday
# T - Tuesday
# W - Wednesday
# H - Thursday
# F - Friday
# A - Saturday
# h1:m1 must be less than h2:m2
# acl aclname url_regex ^http:// ... # regex matching on whole URL
# acl aclname urlpath_regex \.gif$ ... # regex matching on URL path
only
# acl aclname port 80 70 21 ...
# acl aclname proto HTTP FTP ...
# acl aclname method GET POST ...
# acl aclname browser regexp
# acl aclname user username ... # string match on ident output.
# # use REQUIRED to accept any
# # non-null ident.

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl netdept src 203.160.0.0/255.255.255.0
acl internet_dialup src 203.162.7.80-203.162.7.81/32
acl NetnamISP src 203.162.7.0/24
 

acl show_demo src 203.161.0.0/255.255.255.0

#acl domainedu dstdomain .edu

#acl bannedurl url_regex "/usr/local/squid/etc/bannedurl.txt"
acl dialup_user src 203.160.0.80-203.160.0.89/32
acl ultra src 203.160.0.11/32
#acl timeallow time S
acl SSL_ports port 443 563
acl Dangerous_ports port 7 9 19
acl CONNECT method CONNECT

acl passwd proxy_auth /usr/local/squid/etc/user.txt

# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# Access to the ICP port:
# icp_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to allow
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, then the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.

# Only allow access to the cache manager functions from the local host.
#http_access deny manager !localhost
http_access deny CONNECT !SSL_ports
http_access deny Dangerous_ports
#http_access deny bannedurl
http_access allow internet_dialup
http_access deny dialup_user
http_access allow NetnamISP

# Allow everything else

#http_access allow ultra timeallow

http_access allow netdept
#http_access allow show_demo
http_access allow localhost

# Reply to all ICP queries we receive
#icp_access allow all

# TAG: miss_access
# Use to force your neighbors to use you as a sibling instead of
# a parent. For example:
#
# acl localclients src 172.16.0.0/16
# miss_access allow localclients
# miss_access deny !localclients
#
# This means that only your local clients are allowed to fetch
# MISSES and all other clients can only fetch HITS.
#
# By default, allow all clients who passed the http_access rules
# to fetch MISSES from us.
#
#miss_access allow all

# TAG: cache_host_acl
# Just like 'cache_host_domain' but provides more flexibility by
# using ACL's.
#
# cache_host_acl cache-host [!]aclname ...
#
# NOTE: * Any number of ACL's may be given for a cache-host,
# either on the same or separate lines.
# * When multiple ACL's are given for a particular
# cache-host, the first matched ACL is applied.
# * Cache hosts with no domain or ACL restrictions are
# queried for all requests.
# * There are no defaults.

# ADMINISTRATIVE PARAMETERS
#-----------------------------------------------------------------------------

# TAG: cache_mgr
# Email-address of local cache manager who will receive
# mail if the cache dies. The default is "webmaster."
#
cache_mgr webadmin@ncst.ac.vn

# TAG: cache_effective_user
# If the cache is run as root, it will change its effective/real
# UID/GID to the UID/GID specified below. The default is not to
# change UID/GID.
#
cache_effective_user nobody nogroup

# TAG: visible_hostname
# If you want to present a special hostname in error messages, etc,
# then define this. Otherwise, the return value of gethostname()
# will be used.
#
visible_hostname www-cache.ncst.ac.vn

# OPTIONS FOR THE CACHE REGISTRATION SERVICE
#-----------------------------------------------------------------------------

# This section contains parameters for the (optional) cache
# announcement service. This service is provided to help
# cache administrators locate one another in order to join or
# create cache hierarchies.
#
# An 'announcement' message is sent (via UDP) to the registration
# service by Squid. By default, the annoucement message is NOT
# SENT unless you enable it with 'cache_announce' below.
#
# The announcement message includes your hostname, plus the
# following information from this configuration file:
#
# http_port
# icp_port
# cache_mgr
#
# All current information is processed regularly and made
# available on the Web at http://www.nlanr.net/Cache/Tracker/.

# This is how frequently to send cache announcements. The default
# is `0' which disables sending the announcement messages.
#
# To enable announcing your cache, just uncomment the line below.
#
#cache_announce 24

# This is the hostname and portnumber where the registration message
# will be sent.
#
# Format: announce_to host[:port] [filename]
#
# Hostname will default to 'sd.cache.nlanr.net' and port will default
# to 3131. If the 'filename' argument is given, the contents of that
# file will be included in the announce message.
#
#announce_to sd.cache.nlanr.net:3131

# HTTPD-ACCELERATOR OPTIONS
#-----------------------------------------------------------------------------

# TAG: httpd_accel
# If you want to run squid as an httpd accelerator, define the
# host name and port number where the real HTTP server is.
#
# If you want virtual host support then specify the hostname
# as "virtual".
#

httpd_accel 203.160.0.37 80

# TAG: httpd_accel_with_proxy
# If you want to use squid as both a local httpd accelerator
# and as a proxy, change this to 'on'.
#
httpd_accel_with_proxy on

# TAG: httpd_accel_uses_host_header
# HTTP/1.1 requests include a Host: header which is basically the
# hostname from the URL. Squid can be an accelerator for
# different HTTP servers by looking at this header. However,
# Squid does NOT check the value of the Host header, so it opens
# a big security hole. We recommend that this option remain
# disabled unless you are sure of what you are doing.
#
httpd_accel_uses_host_header on

# MISCELLANEOUS
#-----------------------------------------------------------------------------

# The DNS tests exit as soon as the first site is successfully looked up
#
# If you want to disable DNS tests, do not comment out or delete this
# list. Instead use the -D command line option
#
dns_testnames VDC-HN01.vnd.net www.vnd.net
#dns_testnames www.ncst.ac.vn

# TAG: logfile_rotate #
# Specifies the number of logfile rotations to make upon receiving
# a USR1 signal. The default is 10, which will rotate with
# extensions 0 through 9. Setting logfile_rotate to 0 will
# disable the rotation, but the logfiles are still closed and
# re-opened. This will enable you to rename the logfiles yourself
# just before sending a USR1 signal to the squid process.
#
logfile_rotate 30

# TAG: append_domain
# Appends local domain name to hostnames without any dots in them.
# append_domain must begin with a period.
#
append_domain .ncst.ac.vn

# TAG: tcp_recv_bufsize
# Size of receive buffer to set for TCP sockets. Probably just
# as easy to change your kernel's default. Set to zero to use
# the default buffer size.
#
tcp_recv_bufsize 0

# TAG: ssl_proxy
# Specify the name of a 'cache_host' listed above, or a hostname
# and port number where all SSL requests should be forwarded to.
#
# Usage: ssl_proxy cache_host
# ssl_proxy host:port
#
#ssl_proxy

# TAG: passthrough_proxy
# Specify the name of a 'cache_host' listed above, or a hostname
# and port number where all non-GET (i.e. POST, PUT) requests
# should be forwarded to.
#
# Usage: passthrough_proxy cache_host
# passthrough_proxy host:port
#
#passthrough_proxy

# TAG: proxy_auth
# Usage: proxy_auth passwd_file [ ignore-domain ]
#
# 'passwd_file' is an apache-style file of passwords for
# authenticated proxy access Looks like user:password, with the
# password being standard crypt() format. Proxy authentication
# is disabled by default.
#
# 'ignore-domain' is a domain name for which authorization will
# *not* be required.
#
# NOTE, proxy_auth support is not compiled into Squid by default.
# To use this feature you must enable the USE_PROXY_AUTH option
# near the top of src/Makefile.
#
#proxy_auth /usr/local/squid/etc/user.txt

# TAG: err_html_text
# HTML text to include in error messages. Make this a "mailto"
# URL to your admin address, or maybe just a link to your
# organizations Web page.
#
#err_html_text

# TAG: deny_info
# Usage: deny_info URL acl
#
# This can be used to return a HTTP redirect for requests which
# do not pass the 'http_access' rules. A single ACL will cause
# the http_access check to fail. If a 'deny_info' line exists
# for that ACL then Squid returns a redirect to the given URL.

# TAG: udp_hit_obj on|off
# If set, Squid will request UDP_HIT_OBJ replies from its
# neighbors. UDP_HIT_OBJ is nice because it saves bandwidth, but
# it can cause some other problems. For one it complicates
# calculating hit rates. Also, problems arise because the ICP
# query does not contain any HTTP request headers which may
# affect the reply.
#
#udp_hit_obj off

# TAG: udp_hit_obj_size
#
# If set, Squid will limit UDP_HIT_OBJ size to be less than
# this value. Setting this value to more than SQUID_UDP_SO_SNDBUF
# will not work as expected. Set to zero to select the size
# permited by the socket.
#udp_hit_obj_size 0

# TAG: memory_pools on|off
# If set, Squid will keep pools of allocated (but unused) memory
# available for future use. If memory is a premium on your
# system, disable this.
#
memory_pools off

# TAG: forwarded_for on|off
# If set, Squid will include your system's IP address or name
# in the HTTP requests it forwards. By default it looks like
# this:
#
# X-Forwarded-For: 192.1.2.3
#
# If you disable this, it will appear as
#
# X-Forwarded-For: unknown
#
forwarded_for off

# TAG: log_icp_queries on|off
# If set, ICP queries are logged to access.log. ICP logging
# is enabled by default, so uncomment and change the line
# below to disable it.
#
log_icp_queries on

# TAG: minimum_direct_hops
# If using the ICMP pinging stuff, do direct fetches for sites
# which are no more than this many hops away.
#
minimum_direct_hops 4

# TAG: cachemgr_passwd
# Specify passwords for cachemgr operations.
#
#Usage: cachemgr_passwd password action action ...
#
# valid actions are:
# shutdown *
# info
# stats/objects
# stats/vm_objects
# stats/utilization
# stats/ipcache
# stats/fqdncache
# stats/dns
# stats/redirector
# stats/io
# stats/reply_headers
# stats/filedescriptors
# stats/netdb
# log/status *
# log/enable *
# log/disable *
# log/clear *
# log *
# parameter
# server_list
# client_list
# squid.conf *
#
# * Indicates actions which will not be performed without a
# valid password, others can be performed if not listed here.
#
# To disable an action, set the password to "disable".
# To allow performing an action without a password, set the
# password to "none".
#
# Use the keyword "all" to set the same password for all actions.
#
#Examples:
#
# cachemgr_passwd secret shutdown
# cachemgr_passwd lesssssssecret info stats/objects
# cachemgr_passwd disable all
#
#Defaults: none

# TAG: swap_level1_dirs
# Number of first-level directories to create for storing cached
# objects. Minimum 1, maximum 256, default 16.
#
#swap_level1_dirs 16

# TAG: swap_level2_dirs
# Number of sub-directories to create under each first-level
# directory. Minimum 1, maximum 256, default 256.
#
#swap_level2_dirs 256

# TAG: store_avg_object_size
# Average object size, used to estimate number of objects your
# cache can hold. See doc/Release-Notes-1.1.txt. The default is
# 20K.
#
store_avg_object_size 40

# TAG: store_objects_per_bucket
# Target number of objects per bucket in the store hash table.
# Lowering this value increases the total number of buckets and
# also the storage maintenance rate. The default is 20.
#
store_objects_per_bucket 20

# TAG: http_anonymizer
# If you want to filter out certain HTTP request headers for
# privacy reasons, enable this option. There are three
# appropriate settings:
# 'off' All HTTP request headers are passed.
# 'standard' Specific headers are removed
# 'paranoid' Only specific headers are allowed.
# To see which headers are allowed or denied, please see the
# http-anon.c source file.
#
#http_anonymizer off

# TAG: fake_user_agent
# If you use the paranoid http_anonymizer setting, Squid will strip
# your User-agent string from the request. Some Web servers will
# refuse your request without a User-agent string. Use this to
# fake one up. For example:
#
# fake_user_agent Nutscrape/1.0 (CP/M; 8-bit)
# (credit to Paul Southworth pauls@etext.org for this one!)
#
#fake_user_agent none

# TAG: client_db
# If you want to disable collecting per-client statistics, then
# turn off client_db here.
#
client_db on

# TAG: netdb_low
# TAG: netdb_high
# The low and high water marks for the ICMP measurement
# database. These are counts, not percents. The defaults are
# 900 and 1000. When the high water mark is reached, database
# entries will be deleted until the low mark is reached.
#
#netdb_low 900
#netdb_high 1000

# TAG: netdb_ping_rate
# The minimum period for measuring a site. There will be at
# least this much delay between successive pings to the same
# network. The default is five minutes.
#
#netdb_ping_period 5 minutes

# TAG: query_icmp
# If you want to ask your peers to include ICMP data in their ICP
# replies, enable this option.
#
# If your peer has built squid with '-DUSE_ICMP=1' then that peer
# will send ICMP pings to origin server sites of the URLs it
# receives. If you enable this option then the ICP replies from
# that peer will include the ICMP data (if available). Then,
# when choosing a parent cache, Squid will choose the parent with
# the minimal RTT to the origin server. When this happens, the
# hierarchy field of the access.log will be
# "CLOSEST_PARENT_MISS". This option is off by default.
#
#query_icmp off

# TAG: icp_hit_stale
# If you want to return ICP_HIT for stale cache objects, set this
# option to 'on'. If you have sibling relationships with caches
# in other administrative domains, this should be 'off'. If you only
# have sibling relationships with caches under your control, then
# it is probably okay to set this to 'on'.
#
#icp_hit_stale off

Statistic report:

Squid Proxy
Period covered by these statistics: 4 days (09 Jan 1998 - 12 Jan 1998)

Total requests handled this day: 676,568
--------------------------------------------------------------------------------
Requests Satisfied by the cache: 35,155
Requests Proxied 641,413
Total number of requests served: 676,568 ***
Bytes sent for cache requests: 115,646,762
Bytes sent for proxy requests: 3,930,598,126
Total number of bytes sent: 4,046,244,888 ***
--------------------------------------------------------------------------------
Cache Hit Rate
Requests: 5.20%
Bytes: 2.86%
--------------------------------------------------------------------------------
Number of Mb sent by this server: 3858.80
Number of hosts using this server: 51
Number of unique requests: 0
--------------------------------------------------------------------------------
Average number of requests/day: 13,808
Average number of requests/hour: 829.13
Average number of requests/minute: 13.82

--------------------------------------------------------------------------------

Changes since last summary period:
In total requests to this server: 5%
In total bytes sent by this server: 6%
In number of hosts accessing the server: 0%

--------------------------------------------------------------------------------

Hosts accessing this server, ordered by number of accesses:
Top Ten Hosts:
Host Accessing the Server : accesses : bytes transferred
---------------------------------------------------------------------
203.162.7.80 : 81,615 : 545,417,130
203.162.7.81 : 72,679 : 425,242,850
203.162.7.83 : 68,143 : 379,197,927
203.162.7.82 : 61,902 : 310,391,570
203.162.7.87 : 37,848 : 278,092,374
203.160.0.11 : 31,971 : 207,392,305
203.162.7.89 : 30,500 : 212,469,172
203.162.7.73 : 30,415 : 166,690,881
- : 28,025 : 19,617,500
203.162.7.74 : 26,379 : 123,348,484
List of hosts accessing the server (more than 25 times).

--------------------------------------------------------------------------------

Remote sites accessed by this server, ordered by number of accesses:
Top Ten Sites:
Site Accessed by the Server : accesses : bytes transferred
---------------------------------------------------------------------
home.netscape.com : 20,659 : 134,967,165
207.82.250.251 : 19,696 : 75,750,806
209.1.112.251 : 18,651 : 15,138,902
ad.doubleclick.net : 17,925 : 20,029,920
www.cnn.com : 13,122 : 81,229,021
www.microsoft.com : 8,486 : 39,057,289
203.162.7.79 : 8,154 : 11,626,126
127.0.0.1 : 6,980 : 5,483,358
cnn.com : 6,186 : 40,932,406
www.yahoo.com : 5,798 : 27,679,246
List of all sites accessed by the Server

--------------------------------------------------------------------------------

These usage statistics produced by pwebstats.

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
Received on Sun Jan 11 1998 - 23:30:56 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:38:23 MST