[squid-users] Parent Proxy Cache Problem

Amos Jeffries squid3 at treenet.co.nz
Mon Dec 15 19:39:19 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/12/2014 2:26 a.m., squeeky wrote:
>> Please check your config for "proxy-only" option on the link to
>> parent proxy. That alone will prevent caching.
>> 
>> If that option is not there, please post your config.
> 
> Still having issues with with getting content that is served from
> parent to cache locally.


You dont say what Squid version. Some of the things below were only
ever relevant in Squid-2 series releases. If you are using anything
older than Squid-3.4 please seriously consider an upgrade.


> Config below:
> 
> http_port 10.77.40.8:8080 icp_port 7

> dns_v4_first off

Above line is a default anyway, you can remove it completely.

> pid_filename /var/run/squid.pid cache_effective_user proxy 
> cache_effective_group proxy error_default_language en

The above 4 lines should all be default values for those directives too.

> icon_directory /usr/pbi/squid-i386/etc/squid/icons visible_hostname
> localhost

NP: how are your clients expected to fetch icons from
http://localhost/... URLs ?
 - *visible* hostname is supposed to be a DNs domain name which your
Squid can be contacted on.

> cache_mgr admin at localhost

Ditto for emailing you probems reoports to admin at localhost.

Note that Squid itself tries to email you crash reports at this
address too.


> access_log /var/squid/logs/access.log cache_log
> /var/squid/logs/cache.log cache_store_log none sslcrtd_children 0 
> logfile_rotate 0 shutdown_lifetime 3 seconds # Allow local
> network(s) on interface(s)


Em. Squid is layer 4-7 software. Has nothing to do with layer-3
interfaces.

"localnet" ACL is supposed to list the valid LAN network range(s)
where Squid can expect traffic to flow in from.

> acl localnet src  10.77.40.0/21 forwarded_for off via off 
> httpd_suppress_version_string on uri_whitespace strip
> 
> # Break HTTP standard for flash videos. Keep them in cache even if
> asked not to. refresh_pattern -i \.flv$ 10080 90% 999999
> ignore-no-cache override-expire ignor e-private
> 
> # Let the clients favorite video site through with full caching acl
> youtube dstdomain .youtube.com cache allow youtube

This might be your problem. Squid ACLs have an implicit default action
which is the opposite of the last explicit action. So what you have
configured above is equivalent to:

   cache allow youtube
   cache deny all

That "deny all" implicit action will block caching for a huge amount
of traffic.


Also, Squid caches everything is can by default. The purpose of the
cache directive is to allow you to *prevent* things caching.

I think you should remove the config lines:
"
 # Let the clients favorite video site through with full caching
 acl youtube dstdomain .youtube.com
 cache allow youtube"
"



> 
> # Windows Update refresh_pattern range_offset_limit -1 
> refresh_pattern -i
> microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 432 0 80%
> 43200 reload-into-ims refresh_pattern -i 
> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320
> 80% 43200 reload-into-ims refresh_pattern -i 
> my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v| 
> a]|dat|zip) 4320 80% 43200 reload-into-ims cache_mem 100 MB 
> maximum_object_size_in_memory 32 KB memory_replacement_policy heap
> LFUDA
> 
> cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache
> 6000 32 256 minimum_object_size 0 KB maximum_object_size 5000000
> KB


Your biggest cache is only 6GB in size. You truely expect to cache
many up-to-5GB objects there?



> offline_mode oncache_swap_low 90 cache_swap_high 95
> 
> # Add any of your own refresh_pattern entries above these.

Notice the above instruction.

> refresh_pattern ^ftp:    1440  20%  10080 refresh_pattern ^gopher:
> 1440  0%  1440 refresh_pattern -i (/cgi-bin/|\?) 0  0%  0 
> refresh_pattern .    0  20%  4320 # No redirector configured
> 
> #Remote proxies
> 
> # Setup some default acls acl allsrc src all

Why are you defining "allsrc" as a special name?
There is nothing special being done when it matches, just use "all"
instead.


> acl localhost src 127.0.0.1/32 acl safeports port 21 70 80 210 280
> 443 488 563 591 631 777 901  3128 1025-65535

NOTE: 3128 is part of the 1025-65535 number range.

> 
> acl sslports port 443 563 acl manager proto cache_object acl purge
> method PURGE acl connect method CONNECT
> 
> # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS
> proto HTTPS
> 
> acl allowed_subnets src IP.REMOVED.FOR.SECURITY

NOTE: I hope that is not he same IP as the cache_peer below. If it is
you are explicitly allowing traffic to loop infinitely between the
peer and your Squid.

> acl blacklist dstdom_regex -i "/var/squid/acl/blacklist.acl" 
> http_access allow manager localhost
> 
> http_access deny manager http_access allow purge localhost 
> http_access deny purge http_access deny !safeports http_access deny
> CONNECT !sslports
> 
> # Always allow localhost connections http_access allow localhost
> 
> request_body_max_size 0 KB

Another default setting being explicitly configured. You should be
able to remove the above line.

> delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 
> delay_initial_bucket_level 100 delay_access 1 allow allsrc

So, you want Squid to do a lot of complicated per-packet byte
accounting/management in order *not* to apply byte-rate limits ?

Erase the above delay_* directives and your Squid will work a bit faster.


> 
> # Reverse Proxy settings
> 
> # Custom options refresh_pattern -i .ipa$ 4320 100% 259200
> override-expire reload-into-ims ignore -reload refresh_pattern -i
> .pkg$ 4320 100% 259200 override-expire reload-into-ims ignore 
> -reload refresh_pattern -i .ipsw$ 4320 100% 259200 override-expire
> reload-into-ims ignor e-reload
> 

None of these refresh_patterns have any effect. They are not above the
default refresh_patterns with that notice about putting your own
patterns above them.


> cache_peer IP.REMOVED.FOR.SECURITY parent 8080 0 default 
> never_direct allow all
> 
> # Block access to blacklist domains http_access deny blacklist #
> Setup allowed acls # Allow local network(s) on interface(s) 
> http_access allow allowed_subnets http_access allow localnet #
> Default block all to be sure http_access deny allsrc
> 


Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUjzjnAAoJELJo5wb/XPRjiN4IAK8dj6AGVorC4olSVPtx1fyg
ZB4HTu7WYtNLHNTfoMxq7oLucvftCHIxwTNP+s2l3MbyvcaM4sceBpeALo0EL6wN
V5zN4Kt+MV0lolZMSuM7bfCqndNdN5eErRxAi99iwZXpbNZN0OEabqEoLL7kGX76
sNTXWCvXl9mvhVL0oWJHRN5tm8Gyv9BezZMJnY/zKdwMtb1zT7QEEZC+WCCH1s+6
2uB+tlf/ZMyFzairhXnYcC2PgjI4T5QbgsZcCPGbmGwIG3EbArbnUDIyPqqsJvaV
u8v/I1E7kQmEY2lrj8pDrfZLGVbQIv56Pa5R/Xof4B472snBLykG+R3wz/KalTI=
=dr00
-----END PGP SIGNATURE-----

More information about the squid-users mailing list