RE: [squid-users] Large Solaris (2.8) Squid Server Advice Needed

From: Chris Robertson <[email protected]>
Date: Thu, 10 Nov 2005 11:21:23 -0900

> -----Original Message-----
> From: Vadim Pushkin [mailto:wiskbroom@hotmail.com]
> Sent: Thursday, November 10, 2005 10:40 AM
> To: uhlar@fantomas.sk; squid-users@squid-cache.org
> Subject: Re: [squid-users] Large Solaris (2.8) Squid Server Advice
> Needed
>
>
>
> Here is my draft squid.conf file, and my configure options
> when I built
> squid..
>
> NOTE ** I am now looking to turn both of my squid servers
> into cache peers
> of each other. Both machines have two network interfaces,
> and I plan on
> dedicating one of these for a "private" LAN connection solely
> for ICP use.
> Am I stating this properly within my squid.conf? I wish to
> ensure that
> inter-caching a) does not leak out of interface A, only
> interface B (my
> private LAN) and that between these two machines on LAN B
> (again, private
> LAN), that they are able to access each others cache freely.
>
> Thank you all!
>
> .vp
>
> ----------BUILD LINE-------
>
> ./configure --prefix=/opt/squid/current --enable-storeio=ufs,aufs
> --enable-icmp --enable-err-languages=English
> --enable-default-err-language=English --disable-hostname-checks
> --enable-underscores --enable-stacktrace --enable-async-io
> --enable-snmp
> --enable-removal-policies=heap,lru
>
> ## Is there any purpose to specifying both ufs *and* aufs for
> --enable-storeio?
> ## I built with just aufs and it seems to be working fine,
> though I haven't
> really
> ## stressed it much.

As I understand it, specifying both lets you use either. If you are only going to use aufs, just specify aufs.

>
> -------- SQUID.CONF -------
>
> http_port 8080
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache_dir aufs /usr/local/squid/cache 51200 64 256
> # Increase maximum object size ?
> maximum_object_size 32 MB
> # Use this instead?
> # maximum_object_size 5000000 KB

Depends on your customers' usage patterns. One ~5GB item will save a lot of bandwidth if it's cacheable and requested more than once. On the other hand, it will prevent a bundle of 5MB images to be cached.

> cache_mem 4 MB
> cache_swap_low 97
> cache_swap_high 100

I'd lower cache_swap_high to 98. With a cache as large as you have, each percent is in the neighborhood of 500MB of data. Setting cache_swap_high will start aggressively purging cached objects when you have around 1GB of cache space free.

>
> ipcache_size 4096
> ipcache_low 90
> ipcache_high 95
> fqdncache_size 4096
> buffered_logs off
> # Use heap LFUDA replacement policy:
> cache_replacement_policy heap LFUDA
> cache_access_log /usr/local/squid/var/logs/access.log
> # cache_access_log /usr/local/squid/cache
> # cache_log /dev/null
> # cache_store_log none
> ftp_user squid_ftp@
> # Keep?
> # diskd_program /usr/local/squid/libexec/diskd

If you are using aufs as the cache_dir type, you don't need to specify diskd. Actually, you only need to specify it, if it's different from default.

> debug_options ALL,1
> #reference_age 6 month
> quick_abort_min 1 KB
> quick_abort_max 1048576 KB
> quick_abort_pct 90
> connect_timeout 30 seconds
> read_timeout 5 minutes
> request_timeout 30 seconds
> client_lifetime 2 hour
> half_closed_clients off
> pconn_timeout 120 seconds
> ident_timeout 10 seconds
> shutdown_lifetime 15 seconds
> # request_body_max_size 50 MB
> request_header_max_size 100 KB
> request_body_max_size 1000 KB
>
> refresh_pattern ^ftp: 1440 50% 86400
> reload-into-ims
> refresh_pattern ^gopher: 1440 0% 1440
> reload-into-ims
> refresh_pattern . 0 50% 86400
> reload-into-ims
>
> acl DIALUPS src 192.168.0.0/16
> acl IntraNet_One src 12.20.0.0/16
> acl IntraNet_Two src 12.30.0.0/16
> acl BACKUPS src 12.40.0.0/16
> acl ICP_ONE src 10.20.30.2/255.255.255.252
> acl ICP_ONE src 10.20.30.2/255.255.255.252

Why is ICP_ONE specified twice? I imagine it should either be ICP_TWO (used below) or should just be removed (if ICP_ONE covers the whole subnet).

> #
> # Everyone Else
> #
> acl all src 0.0.0.0/255.255.255.255
> #
> http_access allow DIALUPS
> http_access allow IntraNet_One
> http_access deny IntraNet_Two
> http_access allow BACKUPS

http_access allow ICP_ONE # Otherwise requests for cached content from peers will fail.

> #
> http_access deny all
> acl manager proto cache_object
>
> acl localhost src 127.0.0.1/255.255.255.255
> #
> # Define Safe Ports to use.
> #
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> #
> # Define SSL Ports
> #
> acl SSL_ports port 443 563
>
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> #
> # http_access allow all
> #
> # ??? One per each network as above?
> #

Yes. See http://www.squid-cache.org/Doc/FAQ/FAQ-10.html for details.

> http_reply_access allow Remote_Access
> #
> http_reply_access allow DIALUPS
> http_reply_access allow IntraNet_One
> http_reply_access deny IntraNet_Two
> http_reply_access allow BACKUP

I don't know if this is going to work as you expect. You are using source based acls with a reply-based control... The recommended minimum (from squid.conf.default) is to allow replies to all.

> #
> http_reply_access deny all
>
> cache_mgr squidmgr@vadims.edu
>
> visible_hostname squidproxy-1
>
> logfile_rotate 14
>
> coredump_dir /usr/local/squid/var/cache
>
> cache_effective_user nobody
> cache_effective_group nobody
>
> # CACHE PEER
> icp_port 3130
> # icp_access allow all
> # Is this correct?
> icp_access allow ICP_ONE
> icp_access allow ICP_TWO
>

In the config that you sent out you haven't defined ICP_TWO. Squid will just complain, but it won't break anything. It shouldn't hurt anything to put "icp_access deny all" here.

> #
> cache_peer 10.20.30.2 sibling 3128 3130
>

You probably want to add proxy-only to your cache_peer line, to prevent duplication of content.

> # The other host has
> # cache_peer 10.20.30.3 sibling 3128 3130
>
> peer_connect_timeout 10 seconds
> dns_testnames localhost
>

Chris
Received on Thu Nov 10 2005 - 13:21:24 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:09 MST